Transcript
Janata Bank Limited Information and Communication Technology (ICT) Policy
March, 2016 Version 2.0
Information and Communication Technology Division [ICTD- System and ICTD-Operation] Janata Bank Limited Head Office, Dhaka.
WORKING COMMITTEE Coordinator Md. Nurul Islam Mozumder Deputy General Manager ICT Department-Operation Janata Bank Limited
Members Mohammad Sohrab Hossain Assistant General Manager ICT Department-System Janata Bank Limited Mohammad Shakhawat Hossain First Assistant General Manager ICT Department-Operation Janata Bank Limited Md. Abul Khair First Assistant General Manager ICT Department-Operation Janata Bank Limited Md. Hashan Reza Hoshayeni First Assistant General Manager (Computer) ICT Department-Operation Janata Bank Limited Muhammad Alamgir Kabir Senior Executive Officer (Computer) ICT Department-Operation Janata Bank Limited
Md. Kamruzzaman Executive Officer (Computer) ICT Department-System Janata Bank Limited
INDEX Sl 1.
Page Introduction 1.1 1.2 1.3 1.4
2.
4
2.1
4 4 5 5 6 7 7 8 8 8 9
ICT Risk Governance ICT Risk Assessment ICT Risk Response
ICT Operation Management 4.1 4.2 4.3 4.4 4.5 4.6 4.7
5.
Roles and Responsibilities 2.1.1 Roles and Responsibilities of Board of Directors 2.1.2 Roles and Responsibilities of ICT Steering Committee 2.1.3 Roles and Responsibilities of ICT Security Committee ICT Security Policy Documentation Internal Information System Audit External Information System Audit Standard Certification Training and Security Awareness Insurance or Risk Coverage Fund
ICT Risk Management 3.1 3.2 3.3
4.
1 2 2 3
ICT Security Management
2.2 2.3 2.4 2.5 2.6 2.7 2.8
3.
Objectives Scope Categorization of computerization in Janata Bank Limited Minimum characteristics/features of the Central Data Center (CDC) and Disaster Recovery Site (DRS) for Janata Bank Limited
Organizational structure of ICT at Janata Bank Limited Operating Procedures Request Management Change Management Incident Management Problem Management Capacity Management
10 10 11 12 13 13 13 13 13 14 15 16
Asset Management 5.1.8.1 Disposal Management 5.2(a) Desktop Controls 5.2(b) Laptop, Notebook Device Controls 5.3 BYOD Controls 5.4 Server Security Controls 5.5 Data Center Controls 5.5.1 Physical Security 5.5.2 Environmental Security 5.6 Server/ Network Room /Rack Controls 5.7 Networks Security Management 5.8 Cryptography 5.9 Malicious Code Protection 5.10 Internet Access Management 5.11 Email Management
17 17 17 18 19 20 20 21 21 21 23 23 25 26 26 27
5.12 5.13 5.14
28 28 28
Infrastructure Security Management 5.1
Vulnerability Assessment and Penetration Testing Patch Management Security monitoring
6.
Access Control of Information System 6.1 6.2 6.3
7.
ICT Goods and Service related Management 7.1 7.2
8.
ICT Project Management Vendor Selection for System Acquisition In-House Software Development Software Documentation Statutory Requirements
Alternative Delivery Channels (ADC) 9.1 9.2 9.3
10.
Procurement Management Third Party Service Provider Management 7.2.1 Service Level Agreement (SLA) 7.2.2 Outsourcing
Acquisition and Development of Information Systems 8.1 8.2 8.3 8.4 8.5
9.
User Access Management Password Management Input Control
ATM/ POS Transaction Internet Banking Payment Cards
Business Continuity Plan (BCP) 10.1 10.2 10.3
11.
Roles, Responsibility and Process of BCP for ICT Preparation of BCP Committee for ICT Guideline for Business Continuity Plan for ICT 10.3.1 Business Continuity Plan (BCP) for ICT Operations (Online Operation) 10.3.2 Business Continuity Plan (BCP) for ICT Operations (Legacy Operation) 10.3.3 Business Continuity Plan (BCP) for ICT Operations (Standalone PC/Laptop) 10.3.4 Common BCP Plan for ICT Operation (all TIERs) Disaster Management Policy (DMP) for ICT 11.1 Disaster Recovery Plan (DRP) for ICT 11.2 Impact of Disaster on JBL ICT Operation 11.3 Scope of DRP for ICT Operation 11.4 Disaster Recovery Plan for ICT Operation Step by Step Procedure of Disaster Recovery for DRS
12.
11.5 Formation of Disaster Recovery Team (DRT) for ICT Operation 11.6 Action Steps to create full Disaster Recovery 11.7 Conclusion Backup and Restore Plan (BRP) 12.1 Scope of Backup and Restore Plan (BRP) 12.2 Backup and Restore Plan (BRP) Procedure Tools 12.3 Description of Tools 12.4 Backup Policy for Data Center and Disaster Recovery Site: TIER-1 12.5 General Backup Policy for TIER-1, TIER-2, TIER-3 12.6 Backup Restoration Procedure 12.7 Documentation of Restoration Process GLOSSARY AND ACRONYMS ANNEXURES
30 30 30 31 32 32 32 32 33 34 34 34 35 35 36 37 37 38 39 41 41 42 43 43 44 44 44 46 46 47 47 48 50
51 53 55 56 56 56 57 59 60 61 61 62 63
Chapter 1 1. Introduction The Information and Communication Technology (ICT) development and its wide utilization across the world have made ICT to be used as strategic tool to achieve socioeconomic development goals globally. Increasing capacity of ICT has further been empowered by the growth of a global network of computer networks i.e. the Internet. It has impacted the way business is conducted, facilitated learning and knowledge sharing, generated global information flows, empowered citizens and communities in ways that have redefined governance, as well as has created significant wealth and economic growth and hence resulting in a global knowledge society. Today’s business environment is very dynamic and undergoes rapid changes as a result of technological innovation, increased awareness and demands from customers. The banking industry of current century operates in a complex and competitive environment characterized by these changing conditions and highly unpredictable economic climate. Information and Communication Technology (ICT) is at the center of this global change curve. The application of Information and Communication Technology concepts, techniques, policies and implementation strategies to banking services has become a subject of fundamental importance and concerns to all banks. Banks are utilizing ICT in its day to day operation for better, error-free and prompt customer service, organized management decision as well as managing risks. Now a days Banks are exposed to a variety of operational and transactional risks, including crime, employment fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information, Bank is exposed to specific information and technology risks. It is only appropriate to have a policy backed strong process to mitigate any such crisis. Considering the importance of ICT operational framework of Janata Bank Limited, magnitude of future expansion and to ensure best practices in ICT operation, an ‘Information and Communication Technologies Policies-2008’ was introduced in 2008 being approved by the Board of Directors in its 59th meeting held on 29th October 2008. Now, this version of the policy with the updated features has been prepared to be used as a minimum requirement and as appropriate to the level of the bank’s ICT operation.
1.1 Objective The day to day management of the ICT operation, various production systems or Data Centers for online and offline banking operation, all related resources, and all the personnel of Janata Bank Limited are crucial components of Information and Communication Technology which have to be covered with proper safety, security and controlled by a standard policy. Information and Communication Technology is related to both logical and physical existence and protection of data, applications, computer, network and associated ICT equipment. ICT policy also covers the security and ensures the environmental support and related equipment which is necessary to banking and business activities 1|Page
& communication systems. A comprehensive ICT policy is thus essential for proper and lawful development, management, maintenance, security and uses of ICT assets.
1.2 Scope The following key scopes which should be maintained protected and monitored for the ICT operation of Janata Bank Limited: a) Provide all related personnel of the bank with clear instruction of their responsibilities in managing and using operational systems, information, resources and all related equipment. b) Provide an operational ICT environment aimed at minimizing the possibilities of security violation incidents; c) Provide access control, system logging and audit facilities to monitor business systems; d) Provide controls to effectively manage ICT environmental and system changes; e) Manage day to day operations of ICT development, processing of data and production systems and networks; f) Aware Board of Directors and Management’s roles and responsibilities for the protection of information; g) Prioritize information and ICT systems and associated risks those need to be mitigated under ICT Risk management; h) Establish appropriate project management approach for ICT projects; i) Analyze and minimize security risks against faster adoption of Bring-Your-OwnDevices (BYOD) as well as other electronic banking infrastructure including internet banking, mobile financial services, agent banking, payment cards, ATM and POS devices.
1.3 ICT Infrastructure level in Janata Bank Limited The locations for which this policy is applicable i.e. the Departments of Head Office, Divisional Office, Area Office, Branches and/or Booths are categorized into three tiers depending on their ICT setup and operational environment /procedures as: Tier-1: Centralized ICT operation for managing core banking application solution through Central Data Center (CDC) with backup assets for continuation of critical services including Disaster Recovery Site (DRS)/Secondary Data Center to which all controlling offices, branches and booths are connected through WAN with 24 x 7 hours attended operation. Tier-2: Head Office, Divisional/Area/Zonal Office, Branch or booth having Server to which all or a part of the computers of that locations are connected through LAN. Tier-3: Head Office, Divisional/Area/Zonal Office, Branch or booth having stand alone computer(s), Laptops or ATM(s).
2|Page
1.4 Minimum characteristics/features of the Central Data Center (CDC) and Disaster Recovery Site (DRS) for Janata Bank Limited While constructing CDC & DRS and operating with CDC & DRS the following features should be followed: a) CDC & DRS should be constructed with well approved design. b) CDC & DRS should not be located more than 10th floor of a building. c) They should not be located in an Industrial Area. d) Data Centers should not be located in a same Seismic Zone. The distance between CDC and DRS must be more than 30 KM. e) All the emergency telephone numbers of different service agencies like Fire Bridget, Electricity Company, Titas Gas, WASA, City Corporation, along with concern related officers of Different Vendors must be recorded and should be displayed in different places. f) Name, Designation and Mobile phone numbers of all the Officers working/posted in CDC & DRS must be displayed in attention-grabbing places. g) Approved Rescue Team with well defined Job Duty should be in force. Dedicated transport facility for CDC & DRS operation must be available.
3|Page
Chapter 2 2. ICT SECURITY MANAGEMENT ICT Security Management, the most vital and important part of this policy, must ensure that the ICT functions and operations are efficiently and effectively managed. A separate Department/ Cell like ‘ICT Security Department’ of Head Office will be engaged in this purpose. They should be aware of the capabilities of ICT and be able to appreciate and recognize opportunities and risks of possible abuses. They have to ensure maintenance of appropriate systems documentations, particularly for systems, which support financial reporting. They have to participate in ICT security planning to ensure that resources are allocated consistent with business objectives. They have to ensure that sufficient and qualified technical staffs are employed so that continuance of the ICT operation area is unlikely to be seriously at risk all times. ICT Security Management deals with ICT Security Policy Documentation, Internal/External Information System Audit, Training, Awareness and Insurance. ICT Security Department and/or related any such steering committee shall supervise overall ICT security management.
2.1
Roles and Responsibilities Well-defined roles and responsibilities of Board of Directors and Senior Management are very vital implementing ICT Governance and clearly-defined roles enable effective project control and expectations of organizations. ICT Governance stakeholders include Board of Directors, CEO & MD, ICT Steering Committee, ICT Security Committee, Risk Management Committee, CTO and Business Executives.
2.1.1 Roles and responsibilities of Board of Directors (as per Bangladesh Bank’s ICT Security guideline). a) Approving ICT strategy and policy documents. b) Ensuring that the management has placed an effective planning process. c) Endorsing that the ICT strategy is indeed aligned with business strategy. d) Ensuring that the ICT organizational structure complements the business model and its direction. e) Ensuring ICT investments represent a balance of risks and benefits and acceptable budgets. f) Ensure compliance status of ICT Security Policy.
4|Page
2.1.2 Roles and responsibilities of ICT Steering Committee ICT Steering Committee should be formed with following form: Sl 01 02 03 04 05 06 07 08 09
Designation & Department Position CEO & MD Chairperson All DMD Member GM - ICT Member GM-HR Member GM - ICC/IAD Member GM - Law Member GM - Local Office Member GM – JBCB Member DGM- ICTD-System Member-Secretary DGM- ICTD-Operation Member 10 11 DGM- CDC/DRS Member 12 DGM- IAD(ICT) Member 13 DGM- RMD Member (The committee can co-opt any other members as per requirement) The role & responsibility of this committee would be as follows: a) Monitor management methods to determine and achieve strategic goals b) Aware about exposure towards ICT risks and controls c) Provide guidance related to risk, funding, or sourcing d) Ensure project priorities and assessing feasibility for ICT proposals e) Ensure that all critical projects have a component for “project risk management” f) Consult and advise on the selection of technology within standards g) Ensure that vulnerability assessments of new technology is performed h) Ensure compliance to regulatory and statutory requirements i) Provide direction to architecture design and ensure that the ICT architecture reflects the need for legislative and regulatory compliance
2.1.3 Roles and responsibilities of ICT Security Committee ICT Security Committee should be formed with following form: Sl Designation & Department Position 01 DMD - ICT Chairperson 02 GM - ICT Member 03 GM-HR Member 04 GM - ICC/IAD Member 05 GM - Risk Management Member 06 GM - Law Member 07 GM - Local Office Member 08 GM – JBCB Member 09 DGM- ICTD-System Member-Secretary 10 DGM- ICTD-Operation Member 11 DGM – CDC/DRS Member 12 DGM – Monitoring Department Member (The committee can co-opt any other members as per requirement)
5|Page
The role & responsibility of this committee would be as follows: a) Ensure development and implementation of ICT security objectives, ICT security related policies and procedures. b) Provide ongoing management support to the Information security processes. c) Ensure continued compliance with the business objectives, regulatory and legal requirements related to ICT security. d) Support to formulate ICT risk management framework/process and to establish acceptable ICT risk thresholds/ICT risk apatite and assurance requirements. e) Periodic review and provide approval for modification in ICT Security processes.
2.2
ICT SECURITY POLICY
2.2.1 To achieve an appropriate level of protection in the field of IT Security, a comprehensive ‘ICT Security Policy’ should be prepared and adopted that lists all the measures to be taken in the context of IT-related security precautions by the concerned ICT Security Department/Cell which must be fully complied with Central Bank i.e. Bangladesh Bank’s ICT Security Guideline and be approved by the Board of Directors of the bank. The policy would be a systematic approach of controls to other policies required to be formulated for ensuring security of information and information systems which also shall cover all information that are electronically generated, received, stored, replicated, printed, scanned and manually prepared. The policy should establish general requirements and responsibilities for protecting Information and Information System. The policy should cover common technologies such as computers & peripherals, data and network, web system, and other specialized ICT resources. The bank’s delivery of services depends on availability, reliability and integrity of its information technology system. Therefore, related department must adopt appropriate methods to protect its information system. The senior management of the bank must express a commitment to ICT security by continuously increasing awareness and ensuring training for the bank's staff. Until a new and separate ICT Security Policy is developed, all necessary ICT Security standard and measurement of this ICT Policy will have to be followed. 2.2.2 The policy will require regular update and approval from the Board of Directors to deal with evolving changes in the ICT environment and business regulations both within the bank and overall industry. 2.2.3 For noncompliance issues, compliance plan shall be submitted to Bangladesh Bank for dispensation as per format given in Annexure 1. Dispensation has to be for a specific period of time.
6|Page
2.3
DOCUMENTATION
2.3.1 The following shall be documented by the concern departments, controlling offices and branches of the bank: a) Updated Organogram chart for ICT related department/division (centralized/decentralized). b) Branch organogram with the ICT support unit/section/personnel (Business/ICT). c) Approved Job description (JD) for each individual within ICT department/division with fallback resource person. d) A scheduled roster for personnel doing shifting duties, if necessary. e) Segregation of duties for ICT tasks. f) Prescheduled roaster for sensitive ICT tasks like EOD operation, Network Monitoring, Security guard for CDC & DRS, ATM Monitoring etc. g) Updated “Operating Procedure” for all ICT functional activities (like Back-up Management, Database Management, Network Management, Scheduling Processes, System Start-up, Shut-down, restart and recovery etc.) h) Approved relevant requisition/acknowledgement forms for different ICT request/operation/services. i) Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). j) Different ICT related “User Manual/Operation Manual” for users.
2.4
INTERNAL INFORMATION SYSTEM AUDIT
2.4.1 Members of Janata Bank Limited Internal Audit Department/ ICT Audit Department must conduct security audit/ IS audit on any system at Janata Bank Limited to maximize effectiveness of systems and minimize interference to business processes. The audit shall be conducted by the personnel with sufficient Security/ IS audit expertise and skills. Certified IS Auditor may be engaged in this purpose to have better result. 2.4.2. Computer-Assisted-Auditing Tools (CAATs) may be used by the bank to perform Security/IS audit planning, monitoring/auditing, control assessment, data extraction/analysis, fraud detection/prevention and management. 2.4.3 In IS audit, Internal Audit Team shall: a) Ensure integrity, confidentiality and availability of information and resources; b) Investigate possible security incidents ensure conformance to Janata Bank Limited security policy; c) Monitor user or system activity where appropriate. 2.4.4 This audit may include: a) User level and/or system level access to any computing or communication device; b) Access to information that may be produced, transmitted or stored on Janata Bank Limited equipment of premises; c) Access to work areas (CDC, DRS, labs, offices, cubicles, storage areas, etc) d) Access to interactively monitor or log traffic on Janata Bank Limited networks;
7|Page
e) Audits of operational systems shall be planned carefully by the Management/Audit Team to minimize the risk of disruptions to day-to-day business operations; f) Access to audit tools shall be protected to prevent any possible misuse or compromise; g) Integrity of system audit test data shall be protected and shall be validated to ensure it is correct and appropriate before conducting audit exercise. 2.4.5 The Internal Audit Department/ ICT Audit Department must develop an annual System/Security/IS audit plan. Audit report must be preserved. The concern Compliance/Monitoring Department must ensure that audit issues are properly tracked and, in particular, completely recorded, adequately followed up and satisfactorily rectified. 2.4.6 The Department/branch shall take appropriate measures to address the recommendations made in the last Audit Report. This must be documented and kept along with the aforesaid Audit Report.
2.5
EXTERNAL INFORMATION SYSTEM AUDIT
2.5.1 Bank may engage external audit team(s)/firm(s) for Security/IS audit in line with regular financial audit. The audit report should be compliant and preserved.
2.6
STANDARD CERTIFICATION
2.6.1 Bank may take initiative for certification process related to bank’s Information System Security, Quality of ICT Service Delivery, Business Continuity Management, Data Center Management, Payment Card Data Security, etc.
2.7
TRAINING AND SECURITY AWARENESS
2.7.1 Since Information Security is emerging as the most vital and critical issue in financial sector specially in banking business, Janata Bank Staff College, Regional Staff Colleges and ICT Departments of the bank in connection with HRD/HRDD shall ensure that all relevant personnel are getting proper training, education, updates and awareness of the ICT related activities specially the security related activities as relevant with their job function. 2.7.2 Janata Bank Staff College shall also ensure the minimum level of Business Foundation Training for ICT personnel. 2.7.3 Training/Workshop on Security Awareness shall be provided to all employees of the bank. Managers of branches must get preference in this Training/Workshop. 2.7.4 Security/ IS Audit team of the bank must be adequately trained time to time considering any new banking services and technological changes.
8|Page
2.8
INSURANCE OR RISK COVERAGE FUND
2.8.1 Adequate Insurance Coverage or Risk Coverage Fund has been maintained by Accounts Department as per approved request made by the concerned ICT departments so that costs of loss and/or damage of the hardware assets related to ICT can be mitigated. When the goods or equipment would be disposed off from the books of accounts then the related portion of risk coverage fund may be treated as Income of the bank/ transferred to Reserved Fund of the bank as per Management decision. At present, Risk Coverage Fund is created under the Title of “Other Liabilities: Risk Coverage Fund (1210504160)” and maintained by Accounts Department of Head Office by debiting yearly Operating Profit of the bank at the rate of 0.66% (Zero Point Six Six percent) of Yearly Purchase Value of Hardware Assets.
9|Page
Chapter 3 3. ICT RISK MANAGEMENT Risk is the possibility of an adverse event occurring and its potential for negative implications to the organization. Risk Management is the process of managing the probability or severity of the adverse event to an acceptable range or within limits set by the organization. Risks are inherent to banking business due to its nature and dependency with the customers’ reliability. Banks, now a day, are facing strategic risk, environmental risk, market risk, credit risk, balance sheet risk, foreign exchange risk, ICC risk, operational risk, compliance risk, etc. ICT risk is a component of the overall risk. In many enterprises, ICT related risk is considered to be a component of operational risk. However, even strategic risk can have an ICT component itself, especially where ICT is the key enabler of new business initiatives. The same applies for credit risk, where poor ICT security can lead to lower credit ratings. It is better not to depict ICT risk with a hierarchic dependency on one of the other risk categories. ICT risk is business risk - specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of ICT within a Bank. It consists of ICT related events and conditions that could potentially impact the business. It can occur with both uncertain frequency and magnitude and it creates challenges in meeting strategic goals and objectives. ICT Departments of Janata Bank Limited in connection with Risk Management Department will work on these Risk Management issues described below:
3.1 ICT Risk Governance 3.1.1 The Bank shall form an ICT Risk Management Committee under supervision of Risk Management Department to govern overall ICT risks and relevant mitigation measures. The committee would be formed as follows: Sl Designation & Department Position 01 GM - ICT Chairperson 02 DGM- ICTD-System Member 03 DGM- ICTD-Operation Member 04 DGM/AGM-CDC/DRS Member 05 AGM - ICT-System Member 06 AGM (CDC & DRS)- ICT-Operation Member 07 FAGM(ICT Security/Risk Management) - ICT-System Member-Secretary (The committee can co-opt any other members as per requirement) 3.1.2 The related department/cell shall define the Risk Appetite (amount of risk the Bank is prepared to accept to achieve its’ objectives) in terms of combinations of frequency and magnitude of a risk to absorb loss e.g., financial loss, reputation damage. 3.1.3 The related department/cell shall define the Risk Tolerance (tolerable deviation from the level set by the risk appetite definition) having approval from the board/Risk Management Committee and clearly communicated to all stakeholders.
10 | P a g e
3.1.4 Janata Bank shall review and approve risk appetite and tolerance change over time; especially for new technology, new organizational structure, new business strategy and other factors require the enterprise to reassess its risk portfolio at a regular interval. 3.1.5 The related department/cell shall define the risk responsibilities to individuals for ensuring successful completion. 3.1.6 The ICT division shall define the risk accountability applies to those who owned the required resources and have the authority to approve the execution and/or accept the outcome of an activity within specific ICT Risk processes. Ownership of risk stays with owner or custodian whoever is in better position to mitigate the identified risk for that specific ICT asset. 3.1.7 The ICT Risk Management Committee shall acknowledge all risks by Risk Awareness so that those are well understood and known and recognized as the means to manage them. 3.1.8 Janata Bank shall contribute to executive management’s understanding of the actual exposure to ICT risk by Open Communication, enabling definition of appropriate and informed risk responses. 3.1.9 The ICT Risk Management Committee shall aware amongst all internal stakeholders of the importance of integrating risk and opportunity in their daily duties. 3.1.10 Janata Bank shall be transparent to external stakeholders regarding the actual level of risk and risk management processes in use. 3.1.11 Janata Bank shall begin Risk-aware Culture from the top with board and executives, who set direction, communicate risk-aware decision making and reward effective risk management behaviors. 3.1.12 ICT security department/cell shall report status of identified ICT security risk to the ICT security committee and Risk Management Committee periodically as defined in the policy.
3.2 ICT Risk Assessment Meaningful ICT risk assessments and risk-based decisions require ICT risks to be expressed in unambiguous and clear, business-relevant terms. Effective risk management requires mutual understanding between ICT and the business over which risk needs to be managed. All stakeholders must have the ability to understand and express how adverse events may affect business objectives. a) An ICT person shall understand how ICT-related failures or events can impact enterprise objectives and cause direct or indirect loss to the enterprise. b) A business person shall understand how ICT-related failures or events can affect key services and processes. 3.2.1 Janata Bank shall establish Business Impact Analysis (BPA) needs to understand the effects of adverse events. Bank may practice several techniques and options that can help to describe ICT risks in business terms.
11 | P a g e
3.2.2 The Bank shall practice the development and use of Risk Scenarios technique to identify the important and relevant risks amongst all. The developed risk scenarios can be used during risk analysis where frequency and impact of the scenario are assessed. 3.2.3 The Bank shall define Risk Factors those influence the frequency and/or business impact of risk scenarios. 3.2.4 The Bank shall interpret risk factors as casual factors of the scenario that is materializing, or as vulnerabilities or weaknesses. 3.2.5 ICT security department/unit/cell shall conduct periodic ICT risk assessment of ICT related assets (process and system) and provide recommendation to risk owners for mitigation.
3.3 ICT Risk Response Risk response is to bring measured risk in line with the defined risk tolerance level for the bank. In other words, a response needs to be defined such that as much future residual risk as possible (usually depending on budgets available) falls within risk tolerance limits. When the analysis shows risks deviating from the defined tolerance levels, a response needs to be defined. This response can be any of the four possible ways such as Risk Avoidance, Risk Reduction/Mitigation, Risk Sharing/Transfer and Risk Acceptance. 3.3.1 The Bank shall develop a set of metrics to serve as risk indicators. Indicators for risks with high business impact are most likely to be Key Risk Indicators (KRIs). 3.3.2 The Bank shall give effort to implement, measure and report different indicators that are equivalent in sensitivity. 3.3.3 Selection of the right set of KRIs, Bank shall carry out: a) Provide an early warning for a high risk to take proactive action b) Provide a backward-looking view on risk events that have occurred c) Enable the documentation and analysis of trends d) Provide an indication of the risk’s appetite and tolerance through metric setting e) Increase the likelihood of achieving the strategic objectives f) Assist in continually optimizing the risk governance and management environment 3.3.4 The Bank shall define risk response to bring risk in line with the defined risk appetite for the Bank after risk analysis. 3.3.5 The Bank shall strengthen overall ICT risk management practices with sufficient risk management processes. 3.3.6 The Bank shall introduce a number of control measures intended to reduce either of an adverse event and/or the business impact of an event. 3.3.7 The Bank shall share or reduce risk frequency or impact by transferring or otherwise sharing a portion of the risk, e.g. insurance, outsourcing.
12 | P a g e
Chapter 4 4. ICT OPERATION MANAGEMENT ICT Operation Management covers the dynamics of technology operation management including operating procedures, asset management, request management, disposal management, and change management. The objective is to achieve the highest levels of technology service quality by minimum operational risk.
4.1
ORGANIZATIONAL STRUCTURE OF INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) AT JANATA BANK LIMITED At present as per Information Circular no: 121/12 dated 27-06-2012, 2(two) separate departments of Head Office and IT Support Cells in different Divisional Offices of the bank are engaged with ICT related works. As per management requirement, planning or decision this structure may be time to time changed.
4.2
OPERATING PROCEDURE
4.2.1 Operating procedures shall be approved, documented, available and maintained for the users related to their job function. 4.2.2 Changes to operating procedures must be approved by management and documented. 4.2.3 Operating procedures shall cover the followings where appropriate: a) Documentation on handling of different processes; b) Documentation on scheduling processes, system start‐up, closedown, restart and recovery (centralized/decentralized); c) Documentation on handling of exception conditions; d) Schedule system maintenance.
4.3
REQUEST MANAGEMENT
4.3.1 To avail any service related to ICT, a formal request process must be established using Request Form as per Annexure‐2.
4.4
CHANGE MANAGEMENT
4.4.1 Changes to information processing facilities and systems will be controlled. 4.4.2 Business Requirement Document (BRD) will be prepared by concern department which will cover the requirements of system changes and the impact that will have on business processes, security matrix, reporting, interfaces, etc. 13 | P a g e
4.4.3 All changes of business application implemented in the production environment must be governed by a formal documented process with necessary change details. A sample form has been provided in Annexure 3. 4.4.4 Audit trails will be maintained for business applications. 4.4.5 Rollback plan will be prepared for unexpected situation for any changes. 4.4.6 User Acceptance Test (UAT) for changes and upgrades in application will be carried out before deployment. A sample form for UAT has been given in Annexure 4. 4.4.7 User Verification Test (UVT) for post deployment will be carried out.
4.5 INCIDENT MANAGEMENT An incident occurs when there is an unexpected disruption to the standard delivery of ICT services. The Bank will appropriately manage such incidents to avoid a situation of mishandling that result in a prolonged disruption of ICT services. 4.5.1 The Bank will establish structure of the incident management framework with the objective of restoring normal ICT service as quickly as possible in all respects (Head Office, Divisional Office, Area Office and Branches) as per BCP & DRP guideline of the Bank to reduce the impact of the incident on business operation. The Bank will also establish roles and responsibilities of staff involved in the incident management process, which includes recording, analyzing, remediating and monitoring incidents. 4.5.2 It is important that incidents are accorded with the appropriate severity level. As part of incident analysis, the Bank may delegate the function of determining and assigning incident severity levels to a technical helpdesk function. The Bank will train helpdesk staff to determine incidents of high severity level. In addition, criteria used for assessing severity levels of incidents will be established and documented. 4.5.3 The Bank will establish corresponding escalation and resolution procedures where the resolution timeframe is proportionate with the severity level of the incident. 4.5.4 The predetermined escalation and response plan for security incidents will be tested on a periodic basis. 4.5.5 The Bank will form an ICT Emergency Response Team/ Support Cell, comprising staff within the Bank with necessary technical and operational skills to handle major incidents. 4.5.6 In some situations, major incidents may further develop adversely into a crisis. Senior management will be kept apprised of the development of these incidents so that the decision can be made to activate the disaster recovery plan of the Bank on a timely basis. Bank will inform Bangladesh Bank as soon as possible in the event that a critical system has failed over to its disaster recovery system. 4.5.7 The Bank will keep customers informed of any major incident. Being able to maintain customer confidence throughout a crisis or an emergency situation is of great importance to the reputation and soundness of the Bank.
14 | P a g e
4.5.8 As incidents may trail from numerous factors, Bank will perform a root-cause and impact analysis for major incidents which result in severe disruption of ICT services. The Bank will take remediation actions to prevent the recurrence of similar incidents. 4.5.9
The root-cause and impact analysis report will cover following areas: a)
Root Cause Analysis i. ii. iii. iv. v.
b)
When did it happen? Where did it happen? Why and how did the incident happen? How often had a similar incident occurred over last 2 years? What lessons were learnt from this incident?
Impact Analysis i. Extent of the incident including information on the systems, resources, customers that were affected; ii. Magnitude of the incident including foregone revenue, losses, costs, investments, number of customers affected, implications, consequences to reputation and confidence; iii. Breach of regulatory requirements and conditions as a result of the incident.
c)
Corrective and Preventive Measures i. Immediate corrective action to be taken to address consequences of the incident. Priority will be placed on addressing customers’ concerns. ii. Measures to address the root cause of the incident. iii. Measures to prevent similar or related incidents from occurring.
4.5.10 The Bank will adequately address all incidents within corresponding resolution timeframes and monitor all incidents to their resolution.
4.6
PROBLEM MANAGEMENT
While the objective of incident management is to restore the ICT service as soon as possible, the aim of problem management is to determine and eliminate the root cause to prevent the occurrence of repeated incidents. 4.6.1 Each departments of Janata Bank Limited will establish a process to log the information system related problems and incidents. 4.6.2 The Bank will have the process of workflow to assign any problem or issue to a concerned person to get a quick, effective and orderly response.
15 | P a g e
4.6.3 Process will establish to perform necessary corrective action within the time frame according to the problem’s severity. 4.6.4 Problem findings and action steps taken during the problem resolution process will be documented. 4.6.5 A trend analysis of past problems will be performed to facilitate the identification and prevention of similar problems.
4.7 CAPACITY MANAGEMENT The goal of capacity management is to ensure that ICT capacity meets current and future business requirements in a cost-effective manner. 4.7.1 To ensure that ICT systems and infrastructure are able to support business functions, concern department of Janata Bank Limited will ensure that indicators such as performance, capacity and utilization are monitored and reviewed. 4.7.2 Concerned department of the Bank will establish monitoring processes and implement appropriate thresholds to plan and determine additional resources to meet operational and business requirements effectively.
16 | P a g e
Chapter 5 5. INFRASTRUCTURE SECURITY MANAGEMENT The ICT landscape is vulnerable to various forms of attacks. The frequency and malignancy of such attacks are increasing. Janata Bank Limited will assure security solutions at the data, application, database, operating systems and networks to adequately address related threats. Appropriate measures will be implemented to protect sensitive or confidential information such as customer personal information, account and transaction data which are stored and processed in systems. Customers will be properly authenticated before access to online transactions, sensitive personal or account information.
5.1
Asset Management
5.1.1 Prior to procuring any new ICT assets, compatibility assessment (with existing system) needs to be performed by the Bank. 5.1.2 All ICT asset procurement will be complied with the procurement policy of Janata Bank Limited. All the Procuring Entities of Janata Bank Limited must strictly follow the Public Procurement Act-2006 and related Public Procurement Rule-2008 to procure ICT related goods, works and services. 5.1.3 Each ICT asset will be assigned to a custodian (an individual or entity) who will be responsible for the development, maintenance, usage, security and integrity of that asset. 5.1.4 All ICT assets will be clearly identified and labeled. Labeling will reflect the established classification of assets. 5.1.5 Bank will maintain an ICT asset inventory stating significant details (e.g. owner, custodian, purchase date, location, license number, configuration, etc.). 5.1.6 Bank will review and update the ICT asset inventory periodically. 5.1.7 Information system assets will be adequately protected from unauthorized access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure. 5.1.8 The Bank will follow the following Disposal/Condemnation Policy for information system asset protection. All data on equipment and associated storage media must be destroyed or overwritten before sale, disposal or re-issue. 5.1.8.1 DISPOSAL MANAGEMENT “Disposal” refers to the reselling, reassignment, recycling, donating or throwing out
of IT equipment through responsible, ethical and environmentally sound means. The purpose of this procedure is to establish and define standards and restrictions for the disposal of non-leased IT equipment in a legal, cost-effective manner.
17 | P a g e
IT assets and resources (i.e. desktop computers, servers, databases, all kinds of backup or storage devices etc.) must be discarded according to legal requirements/ retention policy and environmental regulations. Acceptable methods for the disposal of IT assets are as follows: a) b) c) d) e)
Sold in a public forum. Auctioned through online/ Paper Advertisement/Notice board. Reassigned to a less-critical business operation function. Donated to schools, charities, and other non-profit organizations. Discarded as rubbish in a landfill after sanitization of toxic materials by an approved service provider as required by local or National regulations.
PROCEDURE:
Approved Condemnation Committee of the concerned departments of Head Office will, at first, collect the information of the obsolete Hardware and peripherals from different departments of Head office, Divisional Offices, Area Offices and branches of the bank. Then the committee will scrutinize the details information of the equipment and identify them identically with their brand name, model, serial number, quantity (location wise), book value, condition etc. The committee then made their recommendation to the management for approval. After getting approval from the management, the goods will be disposed off as per decision. 5.1.9 Concerned department of the Bank will provide guidelines for the use of portable devices, especially for the usage at outside premises. 5.1.10 Bank will provide policy to return back organizational assets from employees/external parties upon termination of their employment, contract or agreement. In no cases bank can sell the assets to its employees. 5.1.11 Bank will comply with the terms of all software licenses and will not use any software that has not been legally purchased or otherwise legitimately obtained. 5.1.12 Outsourced software used in production environment will be subjected to support agreement with the vendor. 5.1.13 Bank will approve list of Software which will only be used in any computer. 5.1.14 Use of unauthorized or pirated software must strictly be prohibited throughout the Bank.
5.2
(a) Desktop Controls
5.2a.1 Desktop computers will be connected to UPS to prevent damage of data and hardware. 5.2a.2 Before leaving a desktop computer unattended, users will apply the "Lock Workstation" feature. Desktop must have password‐protected screensaver which will be activated after a period not more than 5 minutes. 5.2a.3 Desktop computers, monitors, etc. must be turned off at the end of each workday. 5.2a.4 Access to USB port for Desktop computers will be controlled. 18 | P a g e
5.2a.5 Other information storage media containing confidential data such as paper, files, tapes, etc. will be stored in a secured location or locked cabinet when not in use. 5.2a.6 Individual users must not install or download software applications and/or executable files to any desktop computer without prior authorization. 5.2a.7 Desktop computer users will not write, compile, copy, knowingly propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any computer system (e.g. virus, worm, Trojan etc). 5.2a.8 Any kind of viruses will be reported immediately. 5.2a.9 Viruses will not be cleaned/ deleted without expert assistance unless otherwise instructed. 5.2a.10 User identification (ID) and authentication (password) will be required to access all desktops whenever turned on or restarted. 5.2a.11 Standard virus detection software must be installed on all desktop computers and will be configured to check files when read and routinely scan the system for viruses. 5.2a.12 Desktop computers will be configured to log all significant computer security relevant events. (e.g. password guessing, unauthorized access attempts or modifications to applications or systems software.) 5.2a.13 All computers will be placed above the floor level and away from windows.
5.2
(b) Laptop, Notebook device Controls
5.2b.1 Before leaving a laptop or notebook computer unattended, users will apply the "Lock Workstation" feature. Laptop Devices must have password‐protected screensaver which will be activated after a period not more than 5 minutes. 5.2b.2 Confidential or sensitive information that stored in laptops/notebooks must be encrypted or password protected. 5.2b.3 Laptops, monitors, etc. must be turned off at the end of each workday. 5.2b.4 Laptops, computer media and any other forms of removable storage containing sensitive information (e.g. CD ROMs, Zip disks, PDAs, Flash drives, Tape drive, external hard-drives) will be stored in a secured location or locked cabinet when not in use. 5.2b.5 Access to USB port for Laptop computers will be controlled. 5.2b.6 Individual users must not install or download software applications and/or executable files to any laptop or notebook computer without prior authorization. 5.2b.7 Laptop or notebook or any such device users will not write, compile, copy, knowingly propagate, execute, or attempt to introduce any computer code designed to selfreplicate, damage, or otherwise hinder the performance of any computer system (e.g. virus, worm, Trojan etc). 5.2b.8 Any kind of viruses will be reported immediately. 5.2b.9 Viruses will not be cleaned/ deleted without expert assistance unless otherwise instructed. 19 | P a g e
5.2b.10 User identification (ID) and authentication (password) will be required to access all laptops whenever turned on or restarted. 5.2b.11 Standard virus detection software must be installed on all laptop and notebook and will be configured to check files when read and routinely scan the system for viruses. 5.2b.12 Laptop computers will be configured to log all significant computer security relevant events. (e.g. password guessing, unauthorized access attempts or modifications to applications or systems software.)
5.3
BYOD Controls
“Bring Your Own Device” (BYOD) is a relatively new practice to enable employees to access corporate email, calendars, applications and data from their personal mobile devices like smart phones, tablet computers, etc. Since at present Janata Bank Limited is not in the position to adequately manage the associated security risks with BYOD, bank will not permit its employees to access corporate mail, different applications with their personal devices. Later, after conducting a comprehensive risk assessment on the BYOD implementation, this facility may be introduced to the employees of Janata Bank Limited if it is found that the bank is able to manage the related security risks.
5.4 Server Security Controls 5.4.1 Test, Development and Training Servers should be separated from the Production servers. Basic data of different accounts must not be same in those servers. 5.4.2 Users will have specific authorization for accessing servers with defined set of privileges. 5.4.3 Additional authentication mechanism will be used to control access of remote users. 5.4.4 Server must have password protected screen saver that will be activated after a period not more than 1(one) minute. 5.4.5 Activities of System Administrators will be logged. Servers containing sensitive and confidential data may export activity logs to a central log host. 5.4.6 Bank will be maintained test server(s) to provide a platform for testing of configuration settings, new patches and service packs before applied on the production system. 5.4.7 Bank will be ensured the security of file sharing process. File and print shares must be disabled if not required or kept at a minimum where possible. 5.4.8 All unnecessary services running in the production server will be disabled. Any new services will not run in production server without prior testing. 5.4.9 All unnecessary programs will be uninstalled from production servers. 5.4.10 Physical access will be restricted, visitors log must exist and to be maintained for server room. 20 | P a g e
5.5 Data Center Controls As critical systems and data of the Bank are concentrated and housed in the Central Data Center (CDC), it is important that the CDC is resilient and physically secured from internal and external threats.
5.5.1 Physical Security 5.5.1.1 Physical security will be applied to the information processing area or Data Center. DC must be a restricted area and unauthorized access will be strictly prohibited. 5.5.1.2 The Bank will permit limited access to CDC to authorized staffs only. Physical access of staff to the CDC will be revoked immediately if it is no longer required. 5.5.1.3
Access authorization procedures will be strictly applied to vendors, service providers,
support staff and cleaning crews. The Bank will be ensured that
visitors are accompanied while in the DC at all times by an authorized employee. 5.5.1.4 Access authorization list will be maintained and reviewed periodically for the authorized person to access the Data Center. 5.5.1.5 All physical access to sensitive areas must be logged with date, time and purpose of access into the Central Data Center for the vendors, service providers and visitors entered into the Central Data Center. 5.5.1.6
The Bank will be ensured that the perimeter of the CDC, facility and equipment room are physically secured and monitored. Also employ physical, human and procedural controls for 24 hours such as the use of security guards, card access system, mantraps and surveillance system where appropriate.
5.5.1.7 Emergency exit door will be available. 5.5.1.8 An inventory of all computing equipment, associated equipment and consumables housed in CDC must be maintained by the manager or a delegate. 5.5.1.9 The physical security of Central Data Center premises will be reviewed at least once each year.
5.5.2 Environmental Security 5.5.2.1
General Guideline
5.5.2.1.1 Central Data Center (CDC) and Disaster Recovery Site (DRS) should be build in own building. Features mentioned at Paragraph 1.4 of Chapter 1 should be maintained. 21 | P a g e
5.5.2.1.2 Development and test environment shall be separated from production. Basic data of different accounts must not be same in those servers. 5.5.2.1.3 Complete layout of Data Center should be designed, applied and documented. 5.5.2.1.4 The sign of "No eating, drinking or smoking" shall be in display. 5.5.2.1.5 Closed Circuit Television (CCTV)/IP camera shall be installed for monitoring. 5.5.2.1.6 Rodent Repellent System (Ultrasonic device) should have to be use to protect devices from insects. 5.5.2.1.7 Motion detector devices have to be installed inside server, power and control room. 5.5.2.1.8 Dedicated office vehicles for any of the emergencies shall always be available on site. Availing of public transport must be avoided while carrying critical equipment outside the bank’s premises to avoid the risk of any causality. 5.5.2.1.9 Any accessories not related/associated to Data Center shall not bellow to store in the Data Center. 5.5.2.1.10 Data Center shall have full‐time supported dedicated telephone communication. 5.5.2.1.11 Address and telephone or mobile numbers of all contact persons (e.g. fire service, police station, service providers, vendors and all related ICT personnel) must be available to cope with any emergency situation.
5.5.2.2
Power Management
5.5.2.2.1 Power source from source (Main Distribution Board or Generator) to CDC/DRS must be dedicated. 5.5.2.2.2 Electrical outlets from power sources to devices must be restricted and monitored to avoid the risk of overloading. 5.5.2.2.3 Physical layout of power distribution should be documented. 5.5.2.2.4 Power supply system and other support units must be separated from production site and placed in secure area to reduce the risks from environmental threats. 5.5.2.2.5 Industry standard Uninterrupted Power Supply (UPS) with backup units should be installed. 5.5.2.2.6 Raised floor with removable blocks or channels alongside the wall shall be prepared to protect data and power cables from interception and any sort of damages. 5.5.2.2.7 Power generator shall be in place as backup power supply to continue operations in case of power failure. 5.5.2.2.8 Use of Emergency power cut‐off switches where applicable. 5.5.2.2.9 Proper attention must be given on overloading electrical outlets with too many devices. 22 | P a g e
5.5.2.2.10 Proper earthing of electricity shall be ensured. 5.5.2.2.11 Electric and data cables in the Data Center must maintain a quality and be concealed
5.5.2.3 Fire Protection 5.5.2.3.1 Floor, Wall and ceiling of CDC and DRS should be fire‐resistant. 5.5.2.3.2 Fire suppression equipment suitable for the devices shall be installed. 5.5.2.3.3 Automatic fire alarming system shall be installed and tested periodically. 5.5.2.3.4 Any flammable items shall not be kept inside server/ control room. 5.5.2.3.5 There shall be fire detector below the raised floor and necessary location of the zone.
5.6
Server/Network Room/Rack Controls
5.6.1 Server/network room/rack must have a glass enclosure with lock and key under assigned a responsible person. 5.6.2 Physical access will be restricted, visitors log must exist and to be maintained for the server room. 5.6.3 Access authorization list must be maintained and reviewed on regular basis. 5.6.4 There will be a provision to replace the server and network devices within shortest possible time in case of any disaster. 5.6.5 Server/network room/rack will be air-conditioned. Water leakage precautions and water drainage system from Air Conditioner will be installed. 5.6.6 Power generator will be in place to continue operations in case of power failure. 5.6.7 UPS will be in place to provide uninterrupted power supply to the server and required devices. 5.6.8 Proper attention must be given on overloading electrical outlets with too many devices. 5.6.9 Channel alongside the wall will be prepared to allow all required cabling in neat and safe position as per layout of power supply and data cables. 5.6.10 Address and phone numbers of all contact persons (e.g. fire service, police station, service providers, vendors and all ICT/ responsible personnel) must be available to cope with any emergency situation. 5.6.11 Power supply will be switched off before leaving the server room if otherwise not required. 5.6.12 Fire extinguisher will be placed outdoor visible area of the server room. This must be maintained and checked on an annual basis.
5.7
Networks Security Management
5.7.1 The Bank will establish baseline standards to ensure security for Operating Systems, Databases, Network equipments and portable devices which will meet organization’s policy. 23 | P a g e
5.7.2
5.7.3
5.7.4 5.7.5 5.7.6 5.7.7
5.7.8
The Bank will be conducted regular enforcement checks to ensure that the baseline standards are applied uniformly and non-compliances are detected and raised for investigation. The Network Design and its security configurations will be implemented under a documented plan. There will have different security zones defined in the network design. All type of cables including UTP, fiber, power will have proper labeling for further corrective or preventive maintenance works. The Bank will be ensured physical security of all network equipments. Groups of information services, users and information systems will be segregated in networks, e.g. VLAN. Unauthorized access and electronic tampering will be controlled strictly. Mechanism will be in place to encrypt and decrypt sensitive data travelling through WAN or public network. The Bank will be installed network security devices, such as firewalls as well as intrusion detection and prevention systems, at critical stages of its ICT infrastructure to protect the network perimeters.
5.7.9 The Bank will be deployed firewalls, or other similar measures, within internal networks to minimize the impact of security exposures originating from third party or overseas systems, as well as from the internal trusted network. 5.7.10 Secure Login feature (i.e. SSH) will be enabled in network devices for remote administration purposes. Any unencrypted login option (i.e. TELNET) will be disabled. 5.7.11 The Bank will backup and review rules on network security devices on a regular basis to determine that such rules are appropriate and relevant. 5.7.12 The Bank will be established redundant communication links for WAN connectivity. 5.7.13 The Bank deploying Wireless Local Area Networks (WLAN) within the organization will be aware of risks associated in this environment. Secure communication protocols for transmissions between access points and wireless clients will be implemented to secure the corporate network from unauthorized access. 5.7.14 SYSLOG Server will be established depending on Network Size to monitor the logs generated by network devices. 5.7.15 Authentication Authorization and Accounting (AAA) Server may be established depending on Network Size to manage the network devices effectively. 5.7.16 Role-based and/or Time-based Access Control Lists (ACLs) will be implemented in the routers to control network traffic. 5.7.17 Real time health monitoring system for infrastructure management may be implemented for surveillance of all network equipments and servers. 5.7.18 Connection of personal laptop to office network or any personal wireless modem with the office laptop/desktop must be restricted and secured. 5.7.19 The Bank will be changed all default passwords of network devices. 5.7.20 All unused ports of access switch will be shut-off by default if otherwise not defined. 24 | P a g e
5.7.21 All communication devices will be uniquely identifiable with proper authentication. 5.7.22 Role-based administration will be ensured for the servers.
5.8
Cryptography
The primary application of cryptography is to protect the integrity and privacy of sensitive or confidential information. Cryptography is commonly used in Banks to protect sensitive customer information such as PINs relating to critical applications (e.g. ATMs, payment cards and online financial systems). All encryption algorithms used in a cryptographic solution will depend only on the secrecy of the key and not on the secrecy of the algorithm. As such, the most important aspect of data encryption is the protection and secrecy of cryptographic keys used, whether they are master keys, key encrypting keys or data encrypting keys. 5.8.1 The Bank will establish cryptographic key management policy and procedures covering generation, distribution, installation, renewal, revocation and expiry. 5.8.2 The Bank will be ensured that cryptographic keys are securely generated. All materials used in the generation process will be destroyed after usage and ensure that no single individual knows any key in its entirety or has access to all the constituents making up these keys. 5.8.3 Cryptographic keys will be used for a single purpose to reduce the impact of an exposure of a key. 5.8.4 The effective timeframe that a cryptographic key may be used in a given cryptographic solution is called the cryptoperiod. The Bank will be defined the appropriate cryptoperiod for each cryptographic key considering sensitivity of data and operational criticality. 5.8.5 The Bank will ensure that hardware security modules and keying materials are physically and logically protected. 5.8.6 When cryptographic keys are being used or transmitted, the Bank will be ensured that these keys are not exposed during usage and transmission. 5.8.7 When cryptographic keys have expired, the Bank will use a secure key destruction method to ensure keys could not be recovered by any parties. 5.8.8 In the event of changing a cryptographic key, the Bank will generate the new key independently from the previous key. 5.8.9 The Bank will maintain a backup of cryptographic keys. The same level of protection as the original cryptographic keys will be accorded to backup keys. 5.8.10 If a key is compromised, the Bank will immediately revoke, destroy and replace the key and all keys encrypted under or derived from the exposed key. The Bank will be informed all parties concerned of the revocation of the compromised keys.
25 | P a g e
5.9
Malicious Code Protection
5.9.1 The environment of the Bank including servers and workstations must be protected from malicious code by ensuring that approved anti-virus packages are installed. 5.9.2 Users must be made aware of arrangements to prevent and detect the introduction of malicious software. 5.9.3 Software and data supporting critical business activities must be regularly scanned or searched to identify possible malicious code. 5.9.4 Files received on electronic media of uncertain origin or unknown networks must be checked for malicious code before use. 5.9.5 Attachments to electronic mail must be checked for malicious code before use. 5.9.6 The anti-virus package must be kept up to date with the latest virus definition file using an automated and timely process. 5.9.7 All computers in the network will get updated signature of anti-virus software automatically from the server. 5.9.8 Virus auto protection mode will be enabled to screen disks, tapes, CDs or other media for viruses. 5.9.9 A computer virus hoax is a message warning the recipients of a non-existent computer virus. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know. Employees must be made aware of the problem of hoax viruses and must not forward such virus alarms. 5.9.10 A formal process for managing attacks from malicious code must include procedures for reporting attacks and recovering from attacks. 5.9.11 The Bank will arrange awareness program for the end users about computer viruses and their prevention mechanism.
5.10 Internet Access Management 5.10.1 Internet access will be provided to employees according to the approved Internet Access Management Policy. Internet connection will be provided with the PCs/Workstations which are not connected to a LAN in case of Open Internet Branches. All PCs/Workstations will have the internet connection when a secured internet connectivity will have been established. 5.10.2 Access to and use of the internet from bank premises must be secure and must not compromise information security of Bank. 5.10.3 Access to the Internet from bank premises and systems must be routed through secure gateways. 5.10.4 Any local connection directly to the Internet from Bank premises or systems, including standalone PCs and laptops, is prohibited unless approved by Information Security. 5.10.5 Employees will be prohibited from establishing their own connection to the Internet using banks’ systems or premises. 26 | P a g e
5.10.6 Use of locally attached modems with banks’ systems in order to establish a connection with the Internet or any third-party or public network via broadband, ISDN or PSTN services is prohibited unless specifically approved. 5.10.7 Internet access provided by the Bank must not be used to transact any commercial business activity that is not done by the Bank. Personal business interests of staff or other personnel must not be conducted. 5.10.8 Internet access provided by the Bank must not be used to engage in any activity that knowingly contravenes any criminal or civil law or act. Any such activity will result in disciplinary action of the personnel involved. 5.10.9 All applications and systems that require connections to the Internet or third-party and public networks must undergo a formal risk analysis during development and before production use and all required security mechanisms must be implemented.
5.11 Email Management 5.11.1 Email system will be used according to the Bank’s Bank email policy. ICTD-System will take necessary steps to develop email policy. 5.11.2 Access to email system will only be obtained through official request. 5.11.3 Email will not be used to communicate confidential information to external parties unless encrypted using approved encryption facilities. 5.11.4 Employees must consider the confidentiality and sensitivity of all email content, before forwarding email or replying to external parties. 5.11.5 Information transmitted by email must not be defamatory, abusive, involve any form of racial or sexual abuse, damage the reputation of the Bank contain any material that is harmful to employees, customers, competitors, or others. The wilful transmission of any such material is likely to result in disciplinary action. 5.11.6 Bank email system is principally provided for business purposes. Personal use of the bank email system is only allowed under management discretion and requires proper permission; such personal use may be withdrawn or restricted at any time. 5.11.7 Corporate email address must not be used for any social networking, blogs, groups, forums, etc. unless having management approval. 5.11.8 Email transmissions from the Bank must have a disclaimer stating about confidentiality of the email content and asking intended recipient. 5.11.9 ICTD-System department will perform regular review and monitoring of email services.
27 | P a g e
5.12 Vulnerability Assessment and Penetration Testing (VAPT) Vulnerability assessment (VA) is the process of identifying, assessing and discovering security vulnerabilities in a system. 5.12.1 The Bank will conduct VAs regularly by concern cell of the department to detect security vulnerabilities in the ICT environment. 5.12.2 The Bank will deploy a combination of automated tools and manual techniques to perform a comprehensive VA. For web-based systems, the scope of VA will include common web vulnerabilities such as SQL injection, cross-site scripting, etc. 5.12.3 The Bank will establish a process to remedy issues identified in VAs and perform subsequent validation of the remediation to validate that gaps are fully addressed. 5.12.4 The Bank will carry out penetration tests in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on the system. The Bank will conduct penetration tests on network infrastructure and internet-based systems periodically or need basis. 5.12.5 It will be encouraged to conduct the VAPT of ICTD-System, ICTD-Operation, and Card Management Department separately by external renowned companies/audit firms biyearly.
5.13 Patch Management 5.13.1 The Bank will ensure that the patches would be updated whenever its available. To implement security patches in a timely manner, the Bank will establish the implementation timeframe for each category of security patches. 5.13.2 The Bank will perform rigorous testing of security patches before deployment into the production environment.
5.14 Security Monitoring 5.14.1 The Bank will establish appropriate security monitoring systems and processes, to facilitate prompt detection of unauthorized or malicious activities by internal and external parties. 5.14.2 The Bank will implement network surveillance and security monitoring procedures with the use of network security devices, such as intrusion detection and prevention systems, to protect the Bank against network intrusion attacks as well as provide alerts when an intrusion occurs.
28 | P a g e
5.14.3 The Bank may implement security monitoring tools which enable the detection of changes to critical ICT resources such as databases, system or data files and programs, to facilitate the identification of unauthorized changes. 5.14.4 The Bank will regularly review security logs of systems, applications and network devices for anomalies. Logs will be protected and retained for defined period to facilitate future investigation.
29 | P a g e
Chapter 6 6
ACCESS CONTROL OF INFORMATION SYSTEM The objective of the topics is to specify Access control policies for Information System to be adopted by Janata Bank Limited using Information and Communication Technology for service delivery and data processing. This chapter covers the basic and general information security controls applicable to all functional groups of a business to ensure that information assets are protected against risk.
6.1
User Access Management
6.1.1
Every system user must have a unique user ID, password and proper privilege level.
6.1.2
“User Management Form” should be used for user add/delete/suspend/update. The form should contain all necessary information (start/end date/time, privilege, etc). The form should have to be approved by proper authority before implementation and should be preserved for audit and review purpose.
6.1.3
For 03 (three) consecutive invalid login attempts system should lock the user automatically.
6.1.4
If required, vendor staff could be given system access with restricted privilege and should be monitored closely.
6.1.5
Every user should keep his/her login information (User ID, Password) secret and do not share with others.
6.1.6
Regular reviews of user privilege have to perform to verify that privileges are granted appropriately.
6.1.7
Access privileges shall be changed/locked/blocked immediately when the user status changed or user left the bank.
6.2
Password Management
Passwords are an important and primary aspect of System security. They are the front line of protection for any system. A poorly chosen password may result in the compromise of JBL entire banking system. As such, all employees, consultants, and vendors, of JBL are responsible for taking the appropriate steps to select and secure their passwords. 6.2.1
Password should be between 8-15 characters long and should include at least three of the criteria of uppercase, lowercase, number and special character.
6.2.2
Users should be forced to change the password after first login.
6.2.3
Password should have a maximum validity period of 60 days.
30 | P a g e
6.2.4
User could set the same password after every 03 times.
6.2.5
All administrative passwords should be changed after each 02 months or every major maintenance work and a copy of all administrative passwords have to be kept in safe custody with sealed envelope.
6.2.6
User should never use the "Remember Password" feature in any application.
6.2.7
Passwords should not be saved in a text file on any computer system without encryption or paper written.
6.2.8
Login information should not be e-mailed through public channel.
6.2.9
Regarding Legacy Software related User and Password:
6.2.9.1 Administrative USER ID and Passwords to Legacy Application Software must be kept by respective Branch Managers with proper security. 6.2.9.2 Administrative USER ID and Passwords of Legacy Database must be kept by Branch Manager and Second Officer Jointly. Formation of password must be as per this policy.
6.3
Input Control
6.3.1
Session time-out period for users shall be 5 minutes in every system.
6.3.2
Audit trail shall be maintained for all user activities.
6.3.4
Software shall not allow the same user to be both maker (input maker) and checker (Authorizer) of the same transaction.
31 | P a g e
Chapter 7 7. ICT GOODS AND SERVICE RELATED MANAGEMENT 7.1 Procurement Management As per decision of the Board of Directors of Janata Bank Limited in its 225 th meeting held on 03-04-2012 (memo # 704/2012), beside Information and Communication Technology Department-System and Information and Communication Technology Department -Operation, all Divisional Offices along with Local Office and Janata Bhaban Corporate Branch, Dhaka are delegated to work as Procuring Entities for procuring ICT related goods and services as per requirement. All the Procuring Entity must strictly follow the Public Procurement Act-2006 and related Public Procurement Rule-2008 to procure ICT related goods (Hardware, Software, Electrical Equipment, Network Device and connectivity etc) and related services. The procurement related personnel must be trained adequately to perform this specialized job.
7.2
Third Party Service Provider Management In some cases bank may require to receive service from the third party. Third party is defined as Janata Bank Limited Partners, Vendors, Suppliers and the like.
7.2.1 Service Level Agreement (SLA) There shall be Service Level Agreement between the vendor and bank as per rule. Bank shall ensure that the equipment does not contain sensitive live data when hardware is taken by the service provider for servicing/repairing. The Annual Maintenance Contract (AMC) with the vendor shall be active and currently in‐force. Service contracts with all service providers including third‐party vendors shall include: a)
Pricing
b)
Measurable service/deliverables
c)
Timing/schedules
d)
Confidentiality clause
e)
Contact person names (on daily operations and relationship levels)
f)
Roles and responsibilities of contracting parties including an escalation matrix
g)
Renewal period
h)
Modification clause
i)
Frequency of service reporting
j)
Termination clause 32 | P a g e
k)
Warranties, including service suppliers’ employee liabilities, 3rd party liabilities and the related remedies
l)
Geographical locations covered
m)
Ownership of hardware and software
n)
Documentation (e.g. logs of changes, records of reviewing event logs)
o)
Right to have information system audit conducted (internal or external).
7.2.2 Outsourcing Incase of outsourcing any job, Outsourcing activities shall be evaluated based on the following practices: a)
Objective behind Outsourcing
b)
Economic viability
c)
Risks and security concerns.
Bank shall develop a contingency plan for critical outsourced technology services to protect them from unavailability of services due to unexpected problems of the technology service provider. This may include termination plan and identification of additional or alternate technology service providers for such support and services.
33 | P a g e
Chapter 8 8. ACQUISITION AND DEVELOPMENT OF INFORMATION SYSTEMS For any new application of business function for the Bank requires rigorous analysis before acquisition or development to ensure that business requirements are met in an effective and efficient manner. This process covers the definition of needs, consideration of alternative sources, review of technological and economic feasibility, execution of risk analysis and cost-benefit analysis and conclusion of a final decision to 'make' or 'buy'. Many systems fail because of poor system design and implementation, as well as inadequate testing. The Bank needs to identify system deficiencies and defects at the system design, development and testing phases. The Bank shall establish a steering committee, consisting of business, the development/technical team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realized at each phase of the project and milestones to be reached according to the project timetable.
8.1 ICT Project Management 8.1.1 In drawing up a project management framework, the Bank shall ensure that tasks and processes for developing or acquiring new systems include project risk assessment and classification, critical success factors for each project phase, definition of project milestones and deliverables. The Bank shall clearly define in the project management framework, the roles and responsibilities of staff involved in the project. 8.1.2 Project plan for all ICT projects shall be clearly documented and approved. In the project plans, the Bank shall set out clearly the deliverables to be realized at each phase of the project as well as milestones to be reached. 8.1.3 Bank shall ensure that user functional requirements, business cases, cost-benefit analysis, systems design, technical specifications, test plans and service performance expectation are approved by the relevant business units and ICT management. 8.1.4 Bank shall establish management oversight of the project to ensure that milestones are reached and deliverables are realized in a timely manner.
8.2 Vendor Selection for System Acquisition 8.2.1 There must be a core team comprising of personnel from Functional Departments, ICT Department and Internal Control and Compliance Department for vendor selection in case of big project management but in case of normal system acquisition core team must be formed comprising of personnel from related ICT department. The bank may include external experts as approved by the management in case of need. 8.2.2 Vendor selection process must have conformity with the Procurement Policy of the Bank i.e. Public Procurement Act-2006 and related Public Procurement Rules-2008. 8.2.3 Vendor selection criteria for application must address followings: a) Market presence b) Years in operation 34 | P a g e
c) Technology alliances d) Extent of customization and work around solutions e) Financial strength f) Performance and Scalability g) Number of installations h) Existing customer reference i) Support arrangement j) Local support arrangement for foreign vendors k) Weight of financial and technical proposal
8.3 In-house Software Development 8.3.1 Detailed business requirements shall be documented related departments and that should be approved by the competent authority. 8.3.2 Detailed technical requirements and design shall be prepared. 8.3.3 Application security and availability requirements shall be addressed. 8.3.4 Developed functionality in the application shall be in accordance with design specification and documentation. 8.3.5 Software Development Life Cycle (SDLC) with User Acceptance Test (UAT) shall be followed and conducted in the development and implementation stage. 8.3.6 User Verification Test (UVT) for post deployment shall be carried out. 8.3.7 System documentation and User Manual shall be prepared. System documentation should be preserved and User Manual should be handed over to the concerned department or the users. 8.3.8 Source code must be available with the concerned department and kept secured. 8.3.9 Source code shall contain title area with author name, date of creation, last date of modification and other relevant information. 8.3.10 Application shall be in compliance with relevant controls of Bank’s ICT Policy/ ICT Security Policy. 8.3.11 Necessary ‘Regulatory Compliance’ requirements must be taken into account by the developing departments.
8.4 Software Documentation 8.4.1 Documentation of the software shall be available and safely stored. 8.4.2 Document shall contain the followings: a) Functionality b) Security features c) Interface requirements with other systems d) System Documentation e) Installation Manual f) User Manual g) Emergency Administrative procedure
35 | P a g e
8.5 Statutory Requirements 8.5.1 All the software procured and installed by the Bank MUST have legal licenses and record of the same shall be maintained by the respective unit/department of the Bank. In general, concern procuring department/divisional offices/ branches need to preserve those legal licenses. 8.5.2 The concern department/divisional offices/ branches have to perform end-to-end testing of the software functionalities before implementation. 8.5.3 User Acceptance Test shall be carried out and signed-off by the relevant business units/departments before rolling out in LIVE operation. 8.5.4 Agreement must be maintained with the provider for the application software used in production with the confidentiality agreement.
36 | P a g e
Chapter 9 9. ALTERNATIVE DELIVERY CHANNELS (ADC) SECURITY MANAGEMENT “Channelize through channels” is the new paradigm for banking today, which in earlier relied solely on the branch network. Branchless banking is a distribution channel strategy used for delivering financial services without relying on bank branches. Alternate Delivery Channels are methods for providing banking services directly to the customers. Customers can perform banking transactions through their ATM, contact the bank’s Call Center for any inquiry, access the digital Interactive Voice Response (IVR), perform transactions through Internet Banking and even on phones through mobile banking, etc. These channels have enabled banks to reach a wide consumer-base regardless of time and geographic location. ADCs ensure higher customer satisfaction at lower operational expenses and transaction costs.
9.1 ATM/POS Transactions The ATMs and Point-of-Sale (POS) devices have facilitated cardholders with the convenience of withdrawing cash as well as making payments to merchants and billing organizations. However, these systems are targets where card skimming attacks are perpetrated. To secure consumer confidence in using these systems, the Bank shall consider putting in place the following measures to counteract fraudsters’ attacks on ATMs and POS devices: 9.1.1 Card Management Department shall install anti-skimming solutions on ATM devices to detect the presence of unknown devices placed over or near a card entry slot. 9.1.2 The said department shall install detection mechanisms and send alerts to appropriate staff for follow-up response and action. 9.1.3 Card Management Department shall implement tamper-resistant keypads to ensure that customers’ PINs are encrypted during transmission. 9.1.4 Card Management Department shall implement appropriate measures to prevent shoulder surfing of customers’ PINs. 9.1.5 Card Management Department may implement biometric finger vein sensing technology to resist PIN compromise. 9.1.6 Card Management Department shall conduct video surveillance of activities for 24 hours at these machines and maintain the quality of CCTV footage and preserve for at least one year. 9.1.7 Card Management Department shall introduce a centralized online monitoring system for Cash Balance, Loading-Unloading functions, Disorders of machine, etc 9.1.8 The said department shall deploy security personnel for all ATM devices 24 hour basis. 9.1.9 Card Management Department shall verify that adequate physical security measures are implemented in ATM devices. 9.1.10 Card Management Department shall inspect all ATM/POS devices frequently to ensure standard practice (i.e., environmental security for ATM, anti-skimming devices for ATM, POS device surface tempering, etc.) is in place with necessary compliance. Inspection log sheet shall be maintained in ATM booth premises and centrally. 37 | P a g e
9.1.11 Card Management Department shall monitor third party cash replenishment vendors’ activities constantly and visit third party cash sorting houses regularly. 9.1.12 The said department in connection with HRDD and JBSC shall train and provide necessary manual to its merchants about security practices (e.g. signature verification, device tampering/replacement attempt, changing default password, etc.) to be followed for POS device handling. 9.1.13 Card Management Department shall initiate to educate its customers on security measures that are put in place by the Bank and are to maintain by the customers for ATM and POS transactions. 9.1.14 The Bank must follow the related circulars of Bangladesh Bank published time to time in this regard. Specially a message (SMS) must be sent to customer’s mobile after a transaction is committed with the card.
9.2 Internet Banking Information involved in internet banking facility passing over public networks shall be protected from fraudulent activity, dispute and unauthorized disclosure or modification. Banks’ internet systems may be vulnerable as financial services are increasingly being provided via the internet. As a counter-measure, the Bank shall devise a security strategy and put in place measures to ensure the confidentiality, integrity and availability of its data and systems. 9.2.1 Bank shall provide assurance to its customers and users so that online access and transactions performed over the internet are adequately protected and authenticated. 9.2.2 Bank shall properly evaluate security requirements associated with its internet banking system and adopt mechanisms which are well-established international standards. 9.2.3 The concerned department shall formulate Internet Banking Security policy considering technology security aspects as well as operational issues. 9.2.4 The concerned department shall ensure that information processed, stored or transmitted between the bank and its customers is accurate, reliable and complete. The Bank shall also implement appropriate processing and transmission controls to protect the integrity of systems and data, e.g. SSL, TLS. 9.2.5 The concerned department shall implement 2-FA (two-factor authentication) for all types of online financial transactions. Hardware/Software based tokenization means will be preferred. The primary objectives of two-factor authentication are to secure the customer authentication process and to protect the integrity of customer account data and transaction details as well as to enhance confidence in online systems. 9.2.6 An online session needs to be automatically terminated after a fixed period of time unless the customer is re-authenticated for the existing session to be maintained.
38 | P a g e
9.2.7 The concerned department shall implement monitoring or surveillance systems to follow-up and address subsequently any abnormal system activities, transmission errors or unusual online transactions. 9.2.8 All system accesses, including messages received shall be logged. Security violations (suspected or attempted) shall be reported and followed up. Bank may acquire tools for monitoring systems and networks against intrusions and attacks. 9.2.9 The concerned department shall maintain high resiliency and availability of online systems and supporting systems (such as interface systems, backend host systems and network equipment). The Bank shall put in place measures to plan and track capacity utilization as well as guard against online attacks. These online attacks may include denial-of-service attacks (DoS attack) and dis4tributed denial of-service attack (DDoS attack). 9.2.10 Bank shall take appropriate measures to minimize exposure to other forms of attacks such as middleman attack which is commonly known as a man-in-themiddle attack (MITMA), man-in-the browser attack or man-in-the application attack. 9.2.11 The information security officer or any other assigned person/team shall undertake periodic penetration tests of the system, which may include: a) Attempting to guess passwords using password-cracking tools b) Searching for back door traps in the programs c) Attempting to overload the system using DDoS (Distributed Denial of Service) and DoS (Denial of Service) attacks d) Checking middleman attacks e) Checking of commonly known holes in the software, especially the browser and the e-mail software exist f) Checking the weaknesses of the infrastructure g) Taking control of ports h) Cause application crash i) Injecting malicious codes to application and database servers. 9.2.12 The Bank shall educate its customers on security measures to protect them in an online environment.
9.3 Payment Cards Payment cards allow cardholders the flexibility to make purchases wherever they are. Cardholders may choose to make purchases by physically presenting these cards for payments at the merchant or they could choose to purchase over the internet, through mail-order or over the telephone. Payment cards also provide cardholders with the convenience of withdrawing cash at automated teller machines (“ATM”).Payment cards exist in many forms; with magnetic stripe cards posing the highest security risks. Sensitive 39 | P a g e
payment card data stored on magnetic stripe cards is vulnerable to card skimming attacks. Card skimming attacks can happen at various points of the payment card processing, including ATMs, payment kiosks and POS terminals. 9.3.1 The concerned department which provides payment card services shall implement adequate safeguards to protect sensitive payment card data. The concerned department shall ensure that sensitive card data is encrypted to ensure the confidentiality and integrity of these data in storage and transmission. 9.3.2 Bank shall ensure that the processing of sensitive or confidential information is done in a secure environment. 9.3.3 Bank shall deploy secure chips with multiple payment application supported to store sensitive payment card data. For interoperability reasons, where transactions could only be resulted by using information from the magnetic stripe on a card, Bank shall ensure that adequate controls are implemented to manage these transactions. 9.3.4 The concerned department shall perform (not a third party payment processing service provider) the authentication of customers' sensitive static information, such as PINs or passwords. The concerned department shall perform regular security reviews of the infrastructure and processes being used by its service providers. 9.3.5 Equipment used to generate payment card PINs and keys shall be managed in a secured manner. 9.3.6 Card personalization, PIN generation, Card distribution, PIN distribution, Card activation groups shall be different from each other. 9.3.7 Bank shall ensure that security controls are implemented at payment card systems and networks. Bank must comply with the industry security standards, e.g. - Payment Card Industry Data Security Standard (PCI DSS) to ensure the security of cardholder's data. 9.3.8 The concerned department shall only activate new payment cards upon obtaining the customer’s instruction. 9.3.9 The concerned department shall implement a dynamic one-time-password (“OTP”) as 2-FA for CNP (Card Not Present) transactions via internet to reduce fraud risk associated with it. 9.3.10 To enhance card payment security, the Bank shall promptly notify cardholders via transaction alerts including source and amount for any transactions made on the customers’ payment cards. 9.3.10 To enhance card payment security, the Bank shall promptly notify cardholders via transaction alerts including source and amount for any transactions made on the customers’ payment cards. 9.3.11Bank shall set out risk management parameters according to risks posed by cardholders, the nature of transactions or other risk factors to enhance fraud detection capabilities. 9.3.12 Bank shall implement solution to follow up on transactions exhibiting behavior which deviates significantly from a cardholder’s usual card usage patterns. The Bank shall investigate these transactions and obtain the cardholder’s authorization prior to completing the transaction.
40 | P a g e
Chapter 10 Business Continuity Plan for ICT 10.BUSINESS CONTINUITY PLAN (BCP): Business Continuity Plan (BCP) is one of the essence elements of any businesses that are extremely susceptible to external factors which might impact the business in significant way. As banking sector is playing a fundamental role in the economic growth and stability, both at national and individual level, requires continuous and reliable services, BCP is a critical issue for this sector. Moreover, increased contribution of 24x7 electronic banking channels has increased the demand to formulate consolidated Business Continuity Planning (BCP) guidelines covering critical aspects of people, process and technology. Business Continuity Plan (BCP) is required to cover operational risks and should take into account the potential for wide area disasters, data center disasters and the recovery plan. The BCP should take into account the backup and recovery process and shall also address the backup, recovery and restore process. Keeping this into consideration, this (chapter covers) Business Continuity Plan (BCP), Disaster Recovery Plan (DRP) for centralized operation and Backup and Restore Plan (BRP) for distributed operation. Creating documents, taking preparation, proper testing, and update plan of BCP which will actually ensure the following scopes of Janata Bank Limited:
Continuation of critical business processes when a disaster destroys data processing capabilities; Allow timely recovery of critical business operations; Minimize loss; Meet legal and regulatory requirements.
Formulating, implementation and maintenance of a comprehensive BCP is a vital issue for such a large scale bank as Janata Bank Limited to consider.
10.1 Roles, Responsibilities and Process of BCP for ICT Bank’s authority has the ultimate responsibility and oversight over BCP activity of the bank. Senior Management of Janata Bank Limited is responsible for overseeing the BCP process which includes: Determining, manage and control core risks;
Business continuity planning to include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components;
Following a cyclical, process-oriented approach that includes a Business Impact Analysis (BIA), a risk assessment, management and monitoring and testing;
Allocating knowledgeable personnel and sufficient financial resources to execute the BCP;
Prioritizing critical business functions; 41 | P a g e
Designating a BCP committee who will be responsible for the Business Continuity Management;
The top management should annually evaluate and review the adequacy of the bank’s business recovery, contingency plans and the test results and put up the same to the Board of Directors;
Ensuring that the BCP is independently reviewed and approved at least annually; Ensuring employees are trained and aware of their roles in the implementation of the BCP;
Ensuring the BCP is continually updated as per test results to reflect the current operating environment.
10.2 Preparation of BCP Committee for ICT Since electronic banking has functions spread across more than one department, it is necessary that each department understands its role in the plan. It is also important that each gives its support to maintain it. In case of a disaster, each has to be prepared for a recovery process, aimed at protection of critical functions. To this end, it would be helpful if a set up like the BCP Committee, charged with the implementation of BCP, in an eventuality and all departments expected to fulfill their respective roles in a co-ordinate manner. Hence, a committee consisting of senior officials from departments likes ITD (Operation, System, Software & IT Systems Security and Card), MIS and HR need to be instituted with the following broad mandate: The BCP team must include both business and IT personnel; To exercise, maintain and to invoke business continuity plan, as needed; Ensure that the Business Continuity Plan (BCP) fits with other plans, requirement of concerned authorities and budgetary issues; Ensure training and awareness on BCP to concerned teams and employees; Coordinating the activities of other recovery, continuity, response teams and handling key decision-making; Other functions entail handling legal matters evolving from the disaster, and handling public relations and media inquiries; Communicate and promote awareness. Serial No 01
DMD, ICT
Name & Designation
Name & Designation In BCP Chairperson
02
GM, ICT
Member
03
GM, HR
Member
04
GM, GBD
Member
05
DGM, ICTD- operation
Member Secretary
06
DGM, ICTD- System
Member
06 07 08 09 10
DGM/AGM, Security Cell DGM/AGM, CDC Department/Cell DGM,MIS DGM, CMD DGM , ICT Audit
Member Member Member Member Member 42 | P a g e
10.3 Guideline of Business Continuity Plan for ICT Business Continuity Plan is applicable for Head Office, Divisional Offices, Area Offices and all Branches of Janata Bank Limited. All the applicable area of BCP has been categorized into three different Tier’s. Tier-1: Tier-1 covers the Centralized ICT Operation through Data Center (DC) including Disaster Recovery Site (DRS) to branches connected through WAN with 24x7 hours attended operation. Tier-2: Tier-2 covers all the ICT operation of Head Office, Divisional Offices, Area Offices and Branch having Server or Desktop computers, Laptops which all are connected through LAN. Tier-3: Tier-3 describes the coverage of ICT operations of Head Office, Divisional Offices, Area Offices and Branches having standalone computer(s) and Laptops.
10.3.1 Business Continuity Plan (BCP) for ICT Operations (Online Operation): a) All system security, environmental security and physical protection should be ensured and maintained for all the main Servers, Storage equipment, SAN, Networking devices, Temperature & Humidity controlling devices and Other Related Devices. b) Server load balancing should ensure application availability, data availability, facilitates tighter application integration, and intelligently and adaptively load balanced user traffic based on a suite of application metrics and health checks. c) Link load balancing should be ensured for balancing addresses WAN reliability by directing traffic to the best performing links. Where server load balancing provides availability and business continuity for applications and infrastructure running within the data center, link load balancing ensures uninterrupted connectivity from the Data Center and DRS. d) For ensuring the Global load balancing, geographical load balancing may be applicable for reliability between geographically dispersed Data Centers and Disaster Recovery Site. Global load balancing delivers high availability; if one site goes down, traffic will automatically redirect to other working sites. e) Support delivery through secure applications and software must be ensured. f) High performance hardware acceleration may provide for highest level of application security, availability and performance. g) TCP (Transmission Control Protocol) acceleration offloads connections and sessions in several ways to optimize data flows and reduce the impact on servers, preventing them from being overloaded. h) Implementation of DRS operation, periodical testing and proper maintenance should be ensured By Respective Department/Cell. i) Identify and rank the threats that pose risks to the critical assets. j) Daily, monthly, quarterly, half yearly and yearly data Backup of necessary Servers, Network Devices, Applications, Databases should be taken and kept in Separate location, safely secure & feasible place as per approval of the concerned management. 43 | P a g e
k) All Online branches must store the softcopy of account balance (branch wise) in a secured location on daily basis. l) Backup tapes/disks should be preserved in fire and water proof lockers. m) Emergency contacts, address and phone numbers including vendors should be stored in a visible place. n) All the related guidelines and instruction circulars of Janata Bank Limited must be followed properly. o) Real Time data Synchronization process must be ensured with DC to DR. p) VPN mobile network must be used for any secured financial transaction.
10.3.2 Business Continuity Plan (BCP) for ICT Operations (Legacy Operation): a) All system security, environmental security and physical protection should be ensured and maintained for all the servers located in Head Office, Divisional Offices, Area Offices and Branch Offices. b) All the Servers, networking devices, LAN and other hardware should be maintained by IT personnel or designated authority. c) In case of emergency, readiness of configured Backup servers and other resources must be ensured by respective Committee. d) Administrative Tools, Local Security Policy to enable password complexity for any Operating System versions of Server and network computers. e) Daily, monthly, quarterly, half yearly and yearly data Backup must be kept in neighboring Divisional Offices/Area Offices/Branches as per guide line and instruction circulars by Janata Bank Limited. f) Sufficient power supply and related controlling devices (Online UPS, standalone UPS, Generator, AVR etc.) should be ensured. g) All the related guidelines and instruction circulars must be followed properly.
10.3.3 Business Continuity Plan (BCP) for ICT operations (Standalone PC/Laptop): System security, environmental security and physical protection should be ensured and maintained for all standalone computer(s) located in all departments of Head Office, divisional offices and area offices and branch offices. 1. Necessary Official data and information should be kept secure. 2. Backup of necessary data must be kept. 10.3.4 COMMON BCP PLAN FOR ICT OPERATIONS (ALL TIERs): a) Tier wise sufficient power supply, temperature controlling system and other related devices should be ensured. b) Tier wise firefighting system should be ensured and tested periodically. c) Prioritize risks by focusing on assets affected by credible disaster threats and existing vulnerabilities. 44 | P a g e
d) Configure the BIOS to boot the computer from the hard drive only. Do not allow the stand-alone computer to be booted from the diskette or CD-ROM drive. e) Password protects the BIOS so changes cannot be made to the BIOS without authorization. f) Controlling Access to the Data. g) Secure the computer on the table or in a locked room in which resides sensitive data h) Restrict access to sensitive data to project personnel using the security features available via the operating system (e.g., login via user id/password and NTFS permissions in Windows, ACLs in Linux and OS X).Restriction should be available in OS Level(Windows, Linux Etc) as per security feature which protect sensitive data i) Require strong passwords. Password should be maintained as per password policy of JBL. j) Note vulnerabilities for accounts with no passwords or weak passwords. In case of weak password or without password note down vulnerabilities for Respective accounts k) Restrict/Prevent anonymous access and enumeration of accounts and shares. l) Disable the Guest account. m) Review of BCP must be done at least once a year. Janata Bank Limited actually included scenarios and protocols in BCP to develop more comprehensive plans. In this regard JBL already published various Instruction Circulars (i.e. Ins. Circular 450/13, Date: 22/04/13, Ins. Circular 433/13, Date: 04/02/13 for backup and power). Praxis and coming circulars, guidelines which are related to Business Continuity, Backup, Disaster, Recovery and Restore must followed in due respect. This BCP will be used in all afield of ICT operations of Janata Bank Limited to support data and information availability and to reestablish critical business functions and ensure services are maintained.
45 | P a g e
Chapter 11 DISASTER MANAGEMENT POLICY (DMP) FOR ICT 11.1 DISASTER RECOVERY PLAN (DRP) For ICT The need for an effective Business Continuity Plan (BCP) for banks has been never so evident. But with the great advancement of ICT, scholars and regulatory bodies across the world have recognized the critical need for banks to keep operating even in the face of disasters. Concurrent with the industry's provoked reliance on technology has been the birth and evolution of another industry - the disaster recovery industry. With a view to encouraging the banking sector to implement adequate measures to ensure business continuity, several regulations have been introduced both locally and internationally. The strategies and mechanism of planning has been discussed in the BCP. However, typically like any other planning, planning process can be made without catering for the worst-case scenario i.e. when present plan does not succeed in preventing the disaster and the disaster strikes. Thus Disaster Recovery takes place for recovery after the disaster.
11.1.1 DISASTER DEFINITION Disaster Recovery (DR) is the process an organization uses to recover access to the operational dependency on computer systems including Hardware, Local Area Networks (LAN), Applications, Database, Internet, e-Mail and staffing. Janata Bank Limited has revealed the plans contingencies both for sudden and unexpected loss of ICT resources as well as the key personnel to give the bank operational and data availability and allow it to operate to the maximum capacity possible even in the aftermath of a disaster. Any interruption to the daily and scheduled computer operation that prompts a decision to go to the off-site operation/manual operation can be defined as Disaster. Disasters actually result from three types or combinations of incidents, caused by: 1. Natural or cataclysmic events (e.g., earthquakes, fires, floods and storms); 2. Human behavior (e.g., robberies, bomb threats, acts of arson, hostage events); and 3. Technological breakdowns (e.g., power outages, system crashes and virus attacks). When DRP issue comes there are some necessary measures; these are Critical Time Frame (CTF) and Maximum Tolerable Outage (MTO). The MTO is the maximum time that business will survive from the initial service interruption and CTF is the minimum time by within bank can fix the recovery process. Bank Management has to decide on the length of the MTO and CTF and will need to review that measurement on a regular basis, especially as the number of on-line branches increasing day by day.
46 | P a g e
11.2 IMPACT OF DISASTER ON JBL ICT OPERATION The intent of a DRP is to provide a direction to the computer system recovery process in the event of an interruption in continuous service resulting from an unplanned and unexpected disaster. So the impact of disaster and its destruction can be broken down into three categories: Case 1- worst case situation, Case 2 - moderate and Case 3 - nominal deviation. Case 1: The worst case situation presumes the Data Centre’s inoperativeness for the future which can be caused by of Natural or cataclysmic events or other disasters. It also presumes the total wrecking of the Data Centre including loss of human life. Uncertainty and inoperativeness may be the ultimate result unless the bank relies on a Disaster Recovery Site (DRS); the DRS will immediately take over Data Centre (DC)’s position and recover the Bank operation within a given/planned timescale (MTO and CTF). Case 2: A moderate deviation can cause a business disruption time of few days, which means the data center, server rooms located in branches or in controlling offices can resume its operation within this span of time. The Bank should have a contingency plan to counter this type of scenario. The DRS is the ultimate solution for backing up the DC in the event of disaster. Case 3: A nominal or minor deviation refers to a situation which can cause for few hours partial inoperativeness of the data center, server rooms located in branches or in controlling offices which does not require the complete attention of the Disaster Recovery Plan.
11.3 SCOPE OF DRP FOR ICT Operation Janata Bank Limited has already completed implementation of Offline banking system in every branch. Meanwhile Real-time online banking system has introduced which would allow the bank to render real time service to its clients (i.e. Bank user staff & customers). Keeping this in mind Janata Bank Limited has established DC and DRS and its operational guideline must be of prime concern to Janata Bank Limited. So JBL introduced two levels recovery strategies for all ICT operations that will be two leveled: Business recovery time objectives: how long can my business continue to function without the critical IT services, accounting, human resources and other functions? Technical recovery point objective: from what time in my processing cycle am I going to recovery the Data? There are several options, these are: - Zero data loss, recovery to the point of failure; - Start of the current business day (SOD); - End of the previous business day (COB, EOD); - Intraday, a point between the last available backup either SOD or COB/EOD and the failure, for arguments sake midday; - Period end, the weekly or monthly backup. 47 | P a g e
11.4 DISASTER RECOVERY PLAN For ICT operation The primary objectives of a Disaster Recovery Plan are to guide the bank in the event of a disaster and to effectively re-establish critical business operation within the shortest possible period of time with a minimal loss of industry goodwill. For Tier-2 & Tier-3 recovery related Ins. Circulars must be followed properly to recover ICT services. As the recovery of Tier-1 ICT operations related to DRS, so some hardcoded rules should be fixed for the DRP plan. In developing the plan, the senior management must understand the level of effort needed to develop, test and review a DRP. Following points must be dealt with: a. Management must commit to supporting the planning effort and ensure its success both on a short-term and ongoing basis. b. A project team (i.e. DRT) must be selected that incorporates an appropriate balance between IT and business management members to ensure the resulting the plan which will cover the requirements of both IT & the Business. Serial No
Name & Designation
Name & Designation In BCP
01
GM, ICT
Chairperson
02
GM,GBD
Member
03
DGM,ICTD- operation
Member Secretary
04
DGM,ICTD- System
Member
05
DGM/AGM,CDC Department/Cell
Member
06 07
DGM, MIS DGM, CMD
Member Member
c. A process needs to be developed to keep the plan up to date, representing and reflecting the true business and computing environments at all times. In addition, implementing solutions designed to mitigate risk often necessitates major expenditure. Basically Disaster Recovery Plan includes three core stepsPhase 1: Plan Initiation & Damage Assessment. Phase 2: Repairing and Phase 3: Resume normal operation. Phase-1: Plan Initiation & Damage Assessment Occurrences of disaster and the way of severity should include, but not be limited to, an assessment of geographical location, building composition, computing environment and physical plant security installed security devices.
48 | P a g e
Phase-2: Recovery Process Based upon the severity of destruction, the damage assessment team will formulate a task schedule to restore its operation. The team will form by the respective Department/Cell with at least three members headed by an Assistant General Manager. Phase-3: Resuming Normal Operation This phase enables bank to get back to its normal operational procedures by restoring the DC. This may require an undefined time frame depending upon the impact of the disaster. It should be noted that disaster may strike the DRS first and the plan should take this possibility into account.
49 | P a g e
STEP BY STEP PROCEDURE OF DISASTER RECOVERY FOR DRS PHASE-1
DAMAGE ASSESSMENT
Minor Deviation to Normal
Major Deviation to Normal Operation
Operation
Data Center (DC) active with some distinction. (Can be caused by network
failure, power failure etc.) Responsible Person: AGM
DC goes offline.
DRS come online.
Responsible Person: AGM, CDC
CDC, Concerned Office and
Parallel Operation begins
PHASE -2
Estate Dept.
Necessary action taken to fix the Problem of DC.
Necessary taken
to
action fix
the
Problem of DC.
DRS take over the DC’s
position
to
operate normally
Responsible Person: AGM CDC & DRS in charge Network System CDC & DRS.
Review
the
recovering,
process (change
of
Verifying the whole
of
process and test the
operation until DC
performance of DC.
comes online.
strategy if needed)
Continuing
Responsible Person: GM IT, DGM ICTD (System
&
Operation)
PHASE- 3
RESUME NORMAL OPERATION
The DR plan should also encompass other major issues within the plan such as manpower support (i.e. Disaster Recovery Department), Technological support etc. Another important issue is measuring the Critical Time Frame (CTF) and Maximum Tolerable Outage (MTO) for the entire three Tiers of bank ICT operations.
50 | P a g e
Tier’s
Case-1
Case-2
Case-3
Tier-1
4 hours
2 hours
1 hours
Tier-2
3 hours
2 hours
1 hours
Tier-3
2 hours
1 hours
30 Min.
11.5 FORMATION OF DISASTER RECOVERY TEAM (DRT) For ICT Operation The effectiveness and operability of the Disaster Recovery Plan depends on the knowledge and expertise of the personnel who design, develop, update and execute the plan. Depending on three Tiers there should be dictated team by number and type which will execute the DRP plan for Janata Bank Limited. The Disaster Recovery Team (DRT) should be fully dedicated towards recovering the system and should be designed for the worst case situation where the DRS has to be in operation 24 hours per day. The Disaster Recovery Team for DRS, therefore: 1. Should have the capability to run the whole system totally independently. 2. Should ensure expeditious and efficient recovery of computer processing. 3. Should have intermediate and minor impact/expenditure decision authority for the Information Technology personnel during the recovery process. 4. Authority for major impact/expenditure decisions should be at management level. 5. Selecting the Critical Time Frame (CTF) and Maximum Tolerable Outage (MTO) based on specific methodology to ensure restoration of operations within expectation. 6. Should ensure streamlining of reporting of recovery progress from recovery teams upward to senior management and end-users if needed.
11.5.1 DRT’S ORGANIZATION CHART: A team of at least 20 personnel are required for the Disaster Recovery Team/Rescue Team for Online banking purpose like the following structure: DRD Designation Team Leader Senior Recovery Manager Recovery Manager Damage Assessment Officer Hardware/ System/ Software/ Database /Network Recovery Officer Support Staff-1 &2 Security personnel
Bank Designation Deputy General Manager Asst. General Manager (One from Business & one from IT) First Asst. General Manager (One from Business & one from IT) Senior Executive Officer (One from Business & one from IT)
Number of Person 1 Person
Executive Officer (Computer)
At least 8 persons
MLS MLS/ Guard
At least 3 persons At least 2 persons
2 Person 2 Persons At least 2 Persons
51 | P a g e
The Team Leader will be responsible for the total operational activities in the DRS and should produce a weekly report on the state of readiness of the DRS for necessary action. For Offline Banking operation such type of DRT should be organized as per management decision.
11.5.2 DRT’S RESPONSIBILITIES: The Disaster Recovery Management team is responsible for managing the recovery effort as a whole, ensuring restoration occurs within planned Critical Time Frames and assists in resolving problems requiring management action. The initial responsibility of DRT begins with damage assessment. The head of DRT has to be located close to the IT Division/Data Centre of the Bank and should have the competence and authority to decide the Data Centre’s damage when disaster strikes. The Senior Recover Manager will be in charge of the DRS and will report directly to the Team Leader. All other recovery teams will report directly to the Recovery Management Team. The Recovery Management Team is charged with: Pre-Disaster 1. 2. 3. 4. 5. 6. 7. 8. 9. Post-Disaster 1. 2. 3. 4. 5. 6. 7. 8.
Approval for the final Disaster Recovery Plan from Executive Management/Board; Ensure the Disaster Recovery Plan is maintained; Ensure Disaster Recovery Training is conducted; Authorize periodic Disaster Recovery Plan testing; Maintain and update the Plan as scheduled; Distribute Disaster Recovery Plan to Recovery Team Members; Appoint Recovery Team members and alternates as required; Coordinate the testing of the Plan; Train Disaster Recovery Team members in regard to the Plan. Declaration of a Disaster; Determine the strategy to be implemented; Determine alternate team members and other support members for the recovery process; Manage, monitor and coordinate the overall recovery process; Coordinate media and press releases if needed; Assist in assessing extent of damage to Data Centre Facilities and ability to provide data processing service to the organization; Initial notification of disaster declaration to Recovery Team; Coordinate all Recovery Teams; 52 | P a g e
9. 10. 11. 12.
Managing Disaster Recovery Site; Notify Systems, Application & Network Software Team to request off-site system backups, manuals, equipment and documentation when needed; Reports to Management status of recovery effort. Provide full support to the Data centre to recover from the damages- If needed.
The responsibilities for the rest of the team should be the mirroring responsibility of the Data Centre Operating Team. All personnel working under DRT must be highly computer literate and have the expertise to operate the department individually if the Data Centre goes down (worst case situation).
11.5.3 ADDITIONAL PARTS OF THE PLAN
The DRT will work under the IT department and should follow the maintenance procedure as pertains to the DC.
Risk Coverage Funding subject to the approval of the management, a risk coverage funding policy should also be taken to prevent the capital loss in the event of damage/destruction of the DRS and other location.
11.6 ACTION STEPS TO CREATE FULL DISASTER RECOVERY CAPABILITY: 1. 2. 3. 4.
Appoint Disaster Recovery Manager Create a Business Continuity steering committee chaired by DMD. Select / appoint appropriate team Start to put elements of Disaster Recovery Plan in place - Assessment of Current DR and temporary capability; - Identify current mission critical functions / units; - Identify appropriate / suitable Disaster Recovery Site; - Identify and install appropriate Hardware/Software/Communications etc.; - Training of key personnel; - Documentation of the plan; - Review & update the plan as required;
11.6.1 DISASTER RECOVERY PLANNING (DRP) GUIDELINE: The following paragraphs incorporate checklists for Janata Bank Limited management which could prompt a review and subsequent update of the plan: 11.6.1.1 COMMON GUIDELINE FOR TIER-1, TIER-2 AND TIER-3 ICT OPERATION: 1. 2.
Have the phone number of fire service and police departments. Keep extra tape, CD, DVD or any other flash drive backups in such a place where related persons can always get to them. 53 | P a g e
3. 4. 5. 6.
7. 8. 9. 10. 11.
Make sure of testing of CD, DVD, flash drive and DRS backup to check the read and restore consistency. Have battery back-up for all alarms and other emergency hardware when work power is down. Have a binder off-site with a copy of necessary written documentation, drafts, manuals, form, instructions and the phone numbers. Make sure the server room, power room, gas suppression system, telephones and electrical service "rooms" protected from "falling" water to prevent common causes of disaster. Arrangements of "emergency cabinets," containing: candles, matches, flashlights, tool box and first-aid kit. Having at least one exit both in DC and DRS, which can be used without a key. Restriction of unauthorized entrance in DC, DRS, Servers room located in different locations. Periodical test/ dummy test of gas suppression and other security system. Full propulsion of all related Ins. Circulars and guidelines for every Tier.
11.6.1.2 TECHNICAL GUIDELINE BEFORE RECOVERY: 1. Recognize the changes in Servers, workstations, Laptops, Stand-alone computers, networking devices, storage, SAN, AC, Power system, fire system and other hardware placed in Tier (Tier-1, Tier-2 & Tier-3) based locations. 2. Perceive the changes in operating system and utility software programs such as banking application software, database, networking devices etc. 3. Identify the changes in communication network design. 4. Review of changes in personnel assignments appointed in various recovery team of all three Tiers (i.e. DRT) 5. Identify the changes in off-site storage facilities, location or methods of cycling items. 6. Improvements or physical change to the current LAN in data centre/DRS. 7. Review of CTF for availability and delivery of replacement computer components. 8. Start the scheme of backing up data or equipment as discussed in Backup and Restore Plan (BRP) section. 11.6.1.3 EXECUTIVE GUIDELINES: 1. Readiness of alternate person with full authority for disaster recovery, in the event that the usual person in charge is not available. 2. Assign replacement of individuals within the Recovery Team been transferred, promoted or left the bank. 3. Fulfil the requirements of internal system been significantly modified to change the basic functions, data flow or accounting process. 4. Keep the information of computer equipment inventory changes. 54 | P a g e
11.7 CONCLUSION Disaster Recovery or Business Continuity planning is complex and a difficult process. A complete DRP requires various steps to come to a solid form and it should be an open ended plan. It has to pass a critical span of time to test its effectiveness and importance to prove its worth in the real disaster situation.
55 | P a g e
Chapter 12 12
BACKUP AND RESTORE PLAN (BRP)
The key to a disaster recovery is a proper backup plan. To facilitate backup plans, users must communicate their plan to their computer support staff and other involved offices. There are several options to ensure data is recorded until system recovery is completed and data is synchronized to the point of the event. Backup and Restore Plan (BRP) consists of taking backups of software, data, operating system including their frequency, storage, retention, documentation and restoration. The related Backup and Restoration Procedure will determine the type of backups to be performed, the periodicity or schedule of the backup, the protection to be provided to backup determined by criticality of data, information and ICT assets of Janata Bank Limited. 12.1 SCOPE OF BACKUP AND RESTORE PLAN (BRP) This BRP Policy covers all ICT environments operated by Janata Bank Limited. This term covers the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. Data Center, Distributed servers, stand-alone computers, Laptops, network devices, and databases), software, Data and information. All users are required to read, understand and comply with the other Information Security policies, standards, and procedures. If any user does not fully understand anything in these documents, he should consult with his systems administrator, business or functional manager, or human resources department, as applicable, who will contact the Information Technology Department. 12.2 BACKUP AND RESTORE PLAN (BRP) PROCEDURE TOOLS: 1. 2. 3. 4. 5. 6. 7.
Backup requisite hardware Backup Types Backup Media Backup Frequency Availability and Integrity of Data Backup Cycles/Generations Backup Storage On-site Storage
Off-site Storage 8. Physical and Environmental Controls 9. Backup Retention Period 10. Documentation; & 11. Transportation Log
56 | P a g e
12.3
DESCRIPTION OF TOOLS:
12.3.1 Backup requisite hardware:
This step actually suites for Tier-1 category. To comply with this backup policy dedicated backup server, Storage device and tape library are required in Data Center and Disaster Recovery Site. 12.3.2 Backup Types:
Backup of servers will occur every day after regular business hours and this step should be followed all Tier’s. (Respectively for Tier-1, Tier-2 and Tier-3) Full backup: Includes all the source files of application, Software, database, operating system, log files. This process will ensure one full back up once a week followed by differential and/or incremental.
Differential backups: Includes files that have been changed since the last Full or Incremental backup.
Incremental backups: Includes only files that have changed since the last Full or Incremental backup. The next time an incremental backup is done, this file is skipped (unless it is modified again).
12.3.3 Backup Media 12.3.3.1 Tier-1: Tape Drive
External Hard Drives
Online Services (Cloud/Cross-border) if approved by management.
12.3.3.2 Tier-2 & Tier-3: Removable drives(CD,DVD,Flopy disks, External devices Etc) 12.3.4 Backup Frequency The frequency of data backup for each system must be determined by considering the ‘Availability’ and ‘Integrity’ criteria in accordance with bank’s Asset Classification, Protection, and Labeling & Handling Scheme. 12.3.5 Availability and Integrity of Data: Data availability and integrity should be checked after taking the back up. 12.3.6 Backup Cycles/Generations At least (three) generations or cycles of back-up information must be retained for important business applications and critical data of bank ICT resources. Additional number of generations or cycles of backup must be determined by taking into account the criticality and specific requirements of different systems. 57 | P a g e
12.3.7 Backup Storage 12.3.7.1 On-site Storage: The on-site backup media log must contain the following information:
Date of taking the backup.
Contents of the media (e.g. transaction backup, application backup, entire system backup) Date of transporting the media to the offsite location
Nature of backup (e.g. full backup or database or file copy)
Name and signature of the responsible person at the onsite location
Any other label information
12.3.7.2 Off-site Storage: The off-site backup media log must contain the following information: Date of receiving the media at the offsite location
Contents of the media (e.g. transaction backup, application backup, entire system backup)
Nature of backup (e.g. full image copy or file copy)
Name of the Carrier
Name of the original location
Name and signature of the responsible person receiving the media at the off-site location
Any other label information
12.3.8 Physical and Environmental Controls Back-up information must be given an appropriate level of physical and environmental protection consistent with the standards applied at the Data Center or any other processing facility covered by Tier-2 and Tier-3 category. 12.3.9 Backup Retention Period/Policy: Backups of all data must be retained such that all systems are fully recoverable. At a minimum, each backup must be retained for specific number of days/weeks/months/years. The retention period and any requirement for archive copies to be retained for longer periods (or permanently) must be formally determined for critical business information as well as based on any legal requirements. Retention policy should be followed for three Tier’s. Bank has to be following a retention period policy of backups as follows: Daily backups take place on a Seven Days(Online) Six days (Offline) .
Weekly backups take place on a (weekly) rotation.
Monthly backups of high availability servers occur the last calendar day of the month 58 | P a g e
and are on a (twelve months) rotation. Quarterly backups take place on a (twelve months) rotation.
Half yearly Monthly backups take place on a (twelve months) rotation.
Yearly backups take place on a (twelve years) rotation.
Special backups may be made for longer retention periods during special situations such as system upgrades and major projects. 12.3.10 Documentation Backup documentation must include identification of all critical data, programs, documentation, and support items that would be necessary to perform essential tasks during a recovery period. Each backup media must be appropriately labeled with details of owner, date, nature of backup (e.g. Full image copy or file copy). In addition, it must be given a classification label, as applicable, according to Information Labeling Procedure. 12.3.11 Transportation Log:
All backup media to be transported from the Data Center, DRS, Tier-2 & Tier-3 location to the approved off-site location must be logged in a register. All backup media to be received from all the Tier location and stored at the off-site location must be logged in a register at the off-site storage location by concerned officials. 12.4 Backup policy for Data Center and Disaster Recovery Site: Tier-1 Restoration of backups will require specific and appropriate authorization and must be performed in accordance with the Backup and Restoration Procedure.
Backup may be a combination of Operating System, All applications, data (including databases), user configuration information, network devices configuration and hardware configuration information, image copies, full backups, incremental backups, differential backups, system logs, transactional logs, database logs or other techniques.
A minimum level of back-up information, together with accurate and complete records of the back-up copies and documented restoration procedures, must be stored in a remote location, at a sufficient distance from Data Center and other processing facilities to escape any damage from a disaster at the main site.
At least two copies of fully recoverable version of all daily, weekly, monthly, quarterly and yearly backup tapes of critical data must be made. One copy must be stored at the Data Center or the main processing facility whereas the other copy must be stored at an off-site storage location to be readily available.
Systems/Network Administrators will take backup Operating systems, Databases, User configuration, Network devices, related applications and hardware configuration information as per comprehensive schedule. 59 | P a g e
Systems Administrators/Assigned Officers shall perform the back-up process of data and other operation to make sure that it is backed up successfully.
Systems/Network Administrators shall perform a backup before and after installing patches, batches or upgrades or making any configuration changes on the system.
Backed up data that is confidential must be stored in encrypted form/safety lockers/Fire & water proof lockers. Testing of Backup Media should be ensured.
Quality of back up media and condition to be re-used regularly should be checked by concern authority. (e.g. CD, DVD, Tape etc.)
After completion of backup testing, all data must be safely erased from the test environment.
A test report should be prepared and submitted to concern authority after testing is completed.
12.5
General Backup Policy for Tier-1, Tier-2, Tier-3:
Daily, weekly, monthly, quarterly and yearly back up of essential business information, data and software, operating systems should be taken according to a comprehensive schedule.
Systems Administrator(s) shall perform a verification process on the back-up data to make sure that it is backed up successfully.
Primary Backup should be preserved in Hard Disk Drive (HDD) of servers and several desktops.
Copy of Secondary Backup should be preserved in CD/DVD/TAPE format accordingly to manager, Divisional Offices/Area Offices/Regional Officers/Branches to be readily available. Adequate back-up facilities should be provided to ensure that all essential business information and software could be recovered following a disaster or media failure.
Back-up arrangements for individual systems and related data should be tested according to a formal schedule to ensure that they meet the requirements of business continuity plans.
All applications, operating systems, data (including databases), user configuration information, network devices configuration and hardware configuration information (where applicable) must be backed up in accordance with the Backup and Restoration Procedure. Separate systems specific backup and restoration procedures must be developed in accordance with system requirements and vendor recommendations. These procedures must be documented and implemented during (and as part of) system implementation.
Additional Circulars/Instructions related to BCP, DRP, BRP should be followed by respective persons. 60 | P a g e
12.6
Backup Restoration Procedures:
The System Administrator is to be responsible for testing system software and data backups by restoring a sample of the backups according to a formal schedule in the test environment. The higher authority is to be responsible for controlling and supervising backup testing. Restoration procedures must be regularly checked (at least on an annual basis) and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery.
12.7 Documentation of Restoration Process: Documentation of the restoration process must include procedures for the recovery from single-system or application failures as well as for Janata Bank Limited Data Center, DRS, Tier-2 & Tier-3 located disaster scenario.
61 | P a g e
Glossary and Acronyms 2‐FA ‐ Two Factor Authentication ACL - Access Control List AMC ‐ Annual Maintenance Contract AML ‐ Anti‐Money Laundering BCP ‐ Business Continuity Plan BRP ‐ Backup and Restore Plan CCTV ‐ Close Circuit Television CDC - Central Data Center CD ROM ‐ Compact Disk Read Only Memory COB - Close Of Business DC ‐ Data Center DNS - Domain Name System DDoS ‐ Distributed Denial of Service DoS ‐ Denial of Service DR ‐ Disaster Recovery DRP ‐ Disaster Recovery Plan/Database Restore Plan DRS ‐ Disaster Recovery Site DSL- Digital Subscriber Link E‐mail ‐ Electronic Mail EoD - End of Days I‐banking ‐ Internet Banking ICT ‐ Information and Communication Technology IP - Internet Protocol IPS ‐ Intrusion Prevention System ISDN – Integrated Services Digital Network IT ‐ Information Technology JBL - Janata Bank Limited LAN ‐ Local Area Network PCI DSS ‐ Payment Card Industry Data Security Standard PCs ‐ Personal Computers PDA ‐ Personal Digital Assistant PIN ‐ Personal Identification Number PKI ‐ Public Key Infrastructure SAN - Storage Area Network SDLC ‐ Software Development Life Cycle SLA ‐ Service Level Agreement SSH - Secured Shell SSL ‐ Secured Socket Layer TCP - Transmission Control Protocol UAT ‐ User Acceptance Test UPS ‐ Uninterrupted Power Supply UID ‐ User Identification VLAN ‐ Virtual Local Area Network VPN - Virtual Private Area Network WAN ‐ Wide Area Network
62 | P a g e
Annexure 1
Dispensation Form Reference:_____________________________________
Date:_________
Section I: Requester Information Name of the Office: Requested by: Requestor's designation: Requestor's telephone #: Request Date:
Section II: Risk Overview Guideline reference (Clause) and description:
Risk Details (Process/Application/System/Product):
Justification: Plan of mitigation: Mitigation Date: Section III: Approvals The undersigned agree and accept the risk documented on this form. Name: Designation: Comments:
Date: Signature & Seal:
63 | P a g e
Annexure 2
Request Form Reference:__________________________________
Date:____________
Section I: Requester Information Branch/Division Name: Submitted by: Contact No. : Request Details (Attach extra pages if necessary):
Justification: Request Date: Section II: Approvals The undersigned agree and accept the change documented on this form. Name: Designation: Comments: Date: Signature & Seal: Section III: Implementer Details The undersigned has implemented the requested change on this form. Request reference No. : Date of Request Implementation: Request Implementation Details: Was Request done successfully?
Yes
No
Name: Designation: Signature & Seal: Signature & Seal: (Requester)
Signature & Seal (Head of Branch/Division)
64 | P a g e
Annexure 3
Change Management Form Reference:_______________________________________
Date:_________
Section I: Requester Information Branch/Division Name : Submitted by
:
Change Description
:
Change Purpose
:
Request Date
: Signature & Seal: (Requester)
Signature & Seal (Head of Branch/Division)
Section II: Approvals The undersigned agree and accept the change documented on this form. Name Designation Comments
: : :
Date: Signature & Seal: Section III: Implementer Details The undersigned has implemented the requested change on this form. Change reference No.
:
Date of change Implementation: Change Implementation Details: Was change successful? Name:
Yes
No
Designation: Signature & Seal: Signature & Seal: (Requester)
Signature & Seal (Head of Branch/Division)
65 | P a g e
Annexure 4
User Acceptance Test (UAT) Reference:____________________________________
Date:____________
Application/System Name: Change Request Reference:_____________________________
Date:___________
Test Scope (Detail plan of test):
Expected Result:
Actual Result:
User Acceptance Test
Fail
Success
Comments:
Signature & Seal:
66 | P a g e
Annexure 5
Request Form for User ID creation Reference:__________________________________
Date:____________
Section I: Requester Information Name: Designation: Contact Information & Number: Age of work: Request Date: Section II: Approvals We the undersigned have created the following User ID, verify and provide menu permissions. User ID: User Name: Approval/Verification User: Permitted Menu (Should be based on official order): -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
(Signature & Seal) -----------------------
(Signature & Seal) ------------------------
Section III: Lock/Block/Withdrawal of User ID (At the time of transfer/suspension /withdraw Registration of the concerned official) Blocked/Locked by Name: Designation: Date: After Creation/Lock/Block/Withdraws the detail information should be written in the Password Register.
67 | P a g e
